Proper bound check in _bfd_doprnt_scan

While an abort after storing out of bounds by one to an array in our caller is probably OK in practice, it's better to check before storing. PR 22397 * bfd.c (_bfd_doprnt_scan): Check args index before storing, not after.
2025-01-30 12:44:10 +08:00 · 2017-11-05 19:52:13 +10:30 · 2017-11-05 19:52:13 +10:30 · 26a9301057
commit 26a9301057
parent 7167fe4c70
2 changed files with 12 additions and 6 deletions
--- a/bfd/ChangeLog
+++ b/bfd/ChangeLog
@ -1,3 +1,9 @@
 2017-11-05  Alan Modra  <amodra@gmail.com>
 	PR 22397
 	* bfd.c (_bfd_doprnt_scan): Check args index before storing, not
 	after.
 2017-11-05  Alan Modra  <amodra@gmail.com>
 	PR 22397
--- a/bfd/bfd.c
+++ b/bfd/bfd.c
@ -974,10 +974,10 @@ _bfd_doprnt_scan (const char *format, union _bfd_doprnt_args *args)
 		  arg_index = *ptr - '1';
 		  ptr += 2;
 		}
 	      if (arg_index >= 9)
 		abort ();
 	      args[arg_index].type = Int;
 	      arg_count++;
 	      if (arg_count > 9)
 		abort ();
 	    }
 	  else
 	    /* Handle explicit numeric value.  */
@ -999,10 +999,10 @@ _bfd_doprnt_scan (const char *format, union _bfd_doprnt_args *args)
 		      arg_index = *ptr - '1';
 		      ptr += 2;
 		    }
 		  if (arg_index >= 9)
 		    abort ();
 		  args[arg_index].type = Int;
 		  arg_count++;
 		  if (arg_count > 9)
 		    abort ();
 		}
 	      else
 		/* Handle explicit numeric value.  */
@ -1032,6 +1032,8 @@ _bfd_doprnt_scan (const char *format, union _bfd_doprnt_args *args)
 	  if ((int) arg_no < 0)
 	    arg_no = arg_count;
 	  if (arg_no >= 9)
 	    abort ();
 	  switch (ptr[-1])
 	    {
 	    case 'd':
@ -1100,8 +1102,6 @@ _bfd_doprnt_scan (const char *format, union _bfd_doprnt_args *args)
 	      abort();
 	    }
 	  arg_count++;
 	  if (arg_count > 9)
 	    abort ();
 	}
    }