From 565be91fb729611e8056face229d37d25bba360b Mon Sep 17 00:00:00 2001
From: "H. Peter Anvin" <hpa@zytor.com>
Date: Sun, 5 Jul 2009 22:15:57 -0700
Subject: [PATCH] BR 2817225: don't overrun a permts buffer with a maximum
 label

BR 677841 was fixed backwards, with a reverse condition.  Correct the
direction of the fix, and add an assert for the overflow condition.

Note: the bug was non-manifest in previous build, so this is not a
security issue.

Signed-off-by: H. Peter Anvin <hpa@zytor.com>
---
 labels.c | 8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

diff --git a/labels.c b/labels.c
index 88eb46d..3654f47 100644
--- a/labels.c
+++ b/labels.c
@@ -82,9 +82,9 @@
 #define END_BLOCK -2
 #define BOGUS_VALUE -4
 
-#define PERMTS_SIZE  4096       /* size of text blocks */
-#if (PERMTS_SIZE > IDLEN_MAX)
-#error "IPERMTS_SIZE must be less than or equal to IDLEN_MAX"
+#define PERMTS_SIZE  16384	/* size of text blocks */
+#if (PERMTS_SIZE < IDLEN_MAX)
+#error "IPERMTS_SIZE must be greater than or equal to IDLEN_MAX"
 #endif
 
 /* values for label.defn.is_global */
@@ -481,6 +481,8 @@ static char *perm_copy(const char *string)
     char *p;
     int len = strlen(string)+1;
 
+    nasm_assert(len <= PERMTS_SIZE);
+
     if (perm_tail->size - perm_tail->usage < len) {
         perm_tail->next =
             (struct permts *)nasm_malloc(sizeof(struct permts));
-- 
2.7.4