Fix memory overflow issue about strncat

If src contains n or more bytes, strncat() writes n+1 bytes to dest
(n from src plus the terminating null byte).   Therefore, the size of
dest must be at least strlen(dest)+n+1.

	* config/tc-tic4x.c (md_assemble): Correct strncat size.

diff --git a/gas/ChangeLog b/gas/ChangeLog
index 3e3384e3ce814deedb5ba52d8414a67353422cd8..b265f73dd9ccec0dd78fa2f32b162f10fc12d8f4 100644 (file)
--- a/gas/ChangeLog
+++ b/gas/ChangeLog
@@ -1,3 +1,9 @@
+2014-10-28  Alan Modra  <amodra@gmail.com>
+
+       Apply trunk patches
+       2014-10-15  Chen Gang  <gang.chen.5i5j@gmail.com>
+       * config/tc-tic4x.c (md_assemble): Correct strncat size.
+
 2014-10-15  Tristan Gingold  <gingold@adacore.com>
 
        * configure: Regenerate.

diff --git a/gas/config/tc-tic4x.c b/gas/config/tc-tic4x.c
index 904a68c849e1ff3f019d0c83000751da33fed66a..dc821680739c508afcc8d69b0fcb37b94bd574e4 100644 (file)
--- a/gas/config/tc-tic4x.c
+++ b/gas/config/tc-tic4x.c
@@ -2456,7 +2456,7 @@ md_assemble (char *str)
       if (*s)                  /* Null terminate for hash_find.  */
        *s++ = '\0';            /* and skip past null.  */
       strcat (insn->name, "_");
-      strncat (insn->name, str, TIC4X_NAME_MAX - strlen (insn->name));
+      strncat (insn->name, str, TIC4X_NAME_MAX - 1 - strlen (insn->name));
 
       insn->operands[insn->num_operands++].mode = M_PARALLEL;