Fix memory overflow issue about strncat

If src contains n or more bytes, strncat() writes n+1 bytes to dest
(n from src plus the terminating null byte).   Therefore, the size of
dest must be at least strlen(dest)+n+1.

	* config/tc-tic4x.c (md_assemble): Correct strncat size.

diff --git a/gas/ChangeLog b/gas/ChangeLog
index 3e3384e..b265f73 100644 (file)
--- a/gas/ChangeLog
+++ b/gas/ChangeLog
@@ -1,3 +1,9 @@
+2014-10-28  Alan Modra  <amodra@gmail.com>
+
+       Apply trunk patches
+       2014-10-15  Chen Gang  <gang.chen.5i5j@gmail.com>
+       * config/tc-tic4x.c (md_assemble): Correct strncat size.
+
 2014-10-15  Tristan Gingold  <gingold@adacore.com>
 
        * configure: Regenerate.

diff --git a/gas/config/tc-tic4x.c b/gas/config/tc-tic4x.c
index 904a68c..dc82168 100644 (file)
--- a/gas/config/tc-tic4x.c
+++ b/gas/config/tc-tic4x.c
@@ -2456,7 +2456,7 @@ md_assemble (char *str)
       if (*s)                  /* Null terminate for hash_find.  */
        *s++ = '\0';            /* and skip past null.  */
       strcat (insn->name, "_");
-      strncat (insn->name, str, TIC4X_NAME_MAX - strlen (insn->name));
+      strncat (insn->name, str, TIC4X_NAME_MAX - 1 - strlen (insn->name));
 
       insn->operands[insn->num_operands++].mode = M_PARALLEL;