From 3c076c9642fd8877def0a0597ec7e4adfb5aa3b3 Mon Sep 17 00:00:00 2001
From: Jakub Jelinek <jakub@redhat.com>
Date: Tue, 28 Jan 2020 08:44:07 +0100
Subject: [PATCH] gimple-fold: Fix buffer overflow in fold_array_ctor_reference
 [PR93454]

libgcrypt FAILs to build on aarch64-linux with
*** stack smashing detected ***: terminated
when gcc is compiled with -D_FORTIFY_SOURCE=2.  The problem is if
fold_array_ctor_reference is called with size equal to or very close to
MAX_BITSIZE_MODE_ANY_MODE bits and non-zero inner_offset.
The first native_encode_expr is called with that inner_offset and bufoff 0,
the subsequent ones with offset of 0, and bufoff elt_size - inner_offset,
2 * elt_size - inner_offset etc.  So, e.g. on the testcase where we start
with inner_offset 1 and size is e.g. 256 bytes and elt_size 4 bytes
we then call native_encode_expr at bufoff 251 and then 255, but that one
overwrites 3 bytes beyond the buf array.
The following patch fixes that.  In addition, it avoids calling
elt_size.to_uhwi () all the time, and punts if elt_sz would be too large.

2020-01-28  Jakub Jelinek  <jakub@redhat.com>

	PR tree-optimization/93454
	* gimple-fold.c (fold_array_ctor_reference): Perform
	elt_size.to_uhwi () just once, instead of calling it in every
	iteration.  Punt if that value is above size of the temporary
	buffer.  Decrease third native_encode_expr argument when
	bufoff + elt_sz is above size of buf.

	* gcc.dg/pr93454.c: New test.
---
 gcc/ChangeLog                  |  9 +++++++++
 gcc/gimple-fold.c              | 13 ++++++++-----
 gcc/testsuite/ChangeLog        |  5 +++++
 gcc/testsuite/gcc.dg/pr93454.c | 25 +++++++++++++++++++++++++
 4 files changed, 47 insertions(+), 5 deletions(-)
 create mode 100644 gcc/testsuite/gcc.dg/pr93454.c

diff --git a/gcc/ChangeLog b/gcc/ChangeLog
index af0945f..6db98ed 100644
--- a/gcc/ChangeLog
+++ b/gcc/ChangeLog
@@ -1,3 +1,12 @@
+2020-01-28  Jakub Jelinek  <jakub@redhat.com>
+
+	PR tree-optimization/93454
+	* gimple-fold.c (fold_array_ctor_reference): Perform
+	elt_size.to_uhwi () just once, instead of calling it in every
+	iteration.  Punt if that value is above size of the temporary
+	buffer.  Decrease third native_encode_expr argument when
+	bufoff + elt_sz is above size of buf.
+
 2020-01-27  Joseph Myers  <joseph@codesourcery.com>
 
 	* config/mips/mips.c (mips_declare_object_name)
diff --git a/gcc/gimple-fold.c b/gcc/gimple-fold.c
index 569f91e..ed22592 100644
--- a/gcc/gimple-fold.c
+++ b/gcc/gimple-fold.c
@@ -6665,12 +6665,14 @@ fold_array_ctor_reference (tree type, tree ctor,
   /* And offset within the access.  */
   inner_offset = offset % (elt_size.to_uhwi () * BITS_PER_UNIT);
 
-  if (size > elt_size.to_uhwi () * BITS_PER_UNIT)
+  unsigned HOST_WIDE_INT elt_sz = elt_size.to_uhwi ();
+  if (size > elt_sz * BITS_PER_UNIT)
     {
       /* native_encode_expr constraints.  */
       if (size > MAX_BITSIZE_MODE_ANY_MODE
 	  || size % BITS_PER_UNIT != 0
-	  || inner_offset % BITS_PER_UNIT != 0)
+	  || inner_offset % BITS_PER_UNIT != 0
+	  || elt_sz > MAX_BITSIZE_MODE_ANY_MODE / BITS_PER_UNIT)
 	return NULL_TREE;
 
       unsigned ctor_idx;
@@ -6701,10 +6703,11 @@ fold_array_ctor_reference (tree type, tree ctor,
       index = wi::umax (index, access_index);
       do
 	{
-	  int len = native_encode_expr (val, buf + bufoff,
-					elt_size.to_uhwi (),
+	  if (bufoff + elt_sz > sizeof (buf))
+	    elt_sz = sizeof (buf) - bufoff;
+	  int len = native_encode_expr (val, buf + bufoff, elt_sz,
 					inner_offset / BITS_PER_UNIT);
-	  if (len != elt_size - inner_offset / BITS_PER_UNIT)
+	  if (len != (int) elt_sz - inner_offset / BITS_PER_UNIT)
 	    return NULL_TREE;
 	  inner_offset = 0;
 	  bufoff += len;
diff --git a/gcc/testsuite/ChangeLog b/gcc/testsuite/ChangeLog
index f83f18b..44d8e67 100644
--- a/gcc/testsuite/ChangeLog
+++ b/gcc/testsuite/ChangeLog
@@ -1,3 +1,8 @@
+2020-01-28  Jakub Jelinek  <jakub@redhat.com>
+
+	PR tree-optimization/93454
+	* gcc.dg/pr93454.c: New test.
+
 2020-01-27  David Malcolm  <dmalcolm@redhat.com>
 
 	PR analyzer/93451
diff --git a/gcc/testsuite/gcc.dg/pr93454.c b/gcc/testsuite/gcc.dg/pr93454.c
new file mode 100644
index 0000000..84c47cf
--- /dev/null
+++ b/gcc/testsuite/gcc.dg/pr93454.c
@@ -0,0 +1,25 @@
+/* PR tree-optimization/93454 */
+/* { dg-do compile } */
+/* { dg-options "-O2 -g" } */
+
+#if __SIZEOF_INT__ == 4 && __CHAR_BIT__ == 8
+#define A(n) n, n + 0x01010101, n + 0x02020202, n + 0x03030303
+#define B(n) A (n), A (n + 0x04040404), A (n + 0x08080808), A (n + 0x0c0c0c0c)
+#define C(n) B (n), B (n + 0x10101010), B (n + 0x20202020), B (n + 0x30303030)
+#define D(n) C (n), C (n + 0x40404040), C (n + 0x80808080U), C (n + 0xc0c0c0c0U)
+const unsigned int a[64] = { C (0) };
+const unsigned int b[256] = { D (0) };
+const unsigned int c[32] = { B (0), B (0x10101010) };
+const unsigned int d[16] = { B (0) };
+const unsigned int e[8] = { A (0), A (0x04040404) };
+
+void
+foo (void)
+{
+  const unsigned char *s = ((const unsigned char *) a) + 1;
+  const unsigned char *t = ((const unsigned char *) b) + 1;
+  const unsigned char *u = ((const unsigned char *) c) + 1;
+  const unsigned char *v = ((const unsigned char *) d) + 1;
+  const unsigned char *w = ((const unsigned char *) e) + 1;
+}
+#endif
-- 
2.7.4