nfp: add validity check of island and me

AddressSanitizer detects heap-buffer-overflow when running "objdump -D" for nfp .nffw files. PR 27854 * nfp-dis.c (_NFP_ISLAND_MAX, _NFP_ME_MAX): Define. (nfp_priv_data): ..and use here. (_print_instrs): Sanity check island and menum. Signed-off-by: Yinjun Zhang <yinjun.zhang@corigine.com> Signed-off-by: Simon Horman <simon.horman@corigine.com>
2025-02-23 13:21:43 +08:00 · 2021-08-25 21:01:17 -04:00 · 2021-08-25 21:01:17 -04:00 · 90f56146e5
commit 90f56146e5
parent 64cb17196c
1 changed files with 10 additions and 1 deletions
--- a/opcodes/nfp-dis.c
+++ b/opcodes/nfp-dis.c
@ -46,6 +46,9 @@
 #define _NFP_ME27_28_CSR_CTX_ENABLES     0x18
 #define _NFP_ME27_28_CSR_MISC_CONTROL    0x160

+#define _NFP_ISLAND_MAX 64
+#define _NFP_ME_MAX     12
+
 typedef struct
 {
  unsigned char ctx4_mode:1;
@ -65,7 +68,7 @@ nfp_opts;
 /* mecfgs[island][menum][is-text] */
 typedef struct
 {
-  nfp_priv_mecfg mecfgs[64][12][2];
+  nfp_priv_mecfg mecfgs[_NFP_ISLAND_MAX][_NFP_ME_MAX][2];
 }
 nfp_priv_data;

@ -2837,6 +2840,12 @@ _print_instrs (bfd_vma addr, struct disassemble_info *dinfo, nfp_opts * opts)
 	  break;
 	}

+      if (island >= _NFP_ISLAND_MAX || menum >= _NFP_ME_MAX)
+	{
+	  dinfo->fprintf_func (dinfo->stream, "Invalid island or me.");
+	  return _NFP_ERR_STOP;
+	}
+
      mecfg = &priv->mecfgs[island][menum][is_text];
      num_ctx = (mecfg->ctx4_mode) ? 4 : 8;
      addr_3rdparty32 = mecfg->addr_3rdparty32;