diff mbox series

gas: don't allow single quote to go past eol

Message ID aeVZgev2g-i7gtDy@squeak.grove.modra.org
State New
Headers
Series gas: don't allow single quote to go past eol |

Checks

Context Check Description
linaro-tcwg-bot/tcwg_binutils_build--master-aarch64 fail Patch failed to apply
linaro-tcwg-bot/tcwg_binutils_build--master-arm fail Patch failed to apply

Commit Message

Alan Modra April 19, 2026, 10:38 p.m. UTC 
  Fuzzers have found a testcase where expr() runs off the end of a strdup
buffer created in tc-i386.c check_Scc_OszcOperations.
printf '\"\000.insn EVEX  {scc='\''\000' > test.s

This patch fixes the overrun, and another parsing error that has
existed since commit 219deb70ce2c.  gas/testsuite/gas/mri/float.s
doesn't exercise that mri mode code path.

	* expr.c (operand): Don't increment input_line_pointer past
	end of line/statement when single quote appears at the end of
	a line.  Don't increment input_line_pointer before mri mode
	':' hex float.
diff mbox series

Patch

diff --git a/gas/expr.c b/gas/expr.c
index 7108d7332c4..ec6cedf60d1 100644
--- a/gas/expr.c
+++ b/gas/expr.c
@@ -1063,7 +1063,9 @@  operand (expressionS *expressionP, enum expr_mode mode)
 	     character, parity errors and all, is taken as the value
 	     of the operand.  VERY KINKY.  */
 	  expressionP->X_op = O_constant;
-	  expressionP->X_add_number = *input_line_pointer++;
+	  expressionP->X_add_number = *input_line_pointer;
+	  if (!is_end_of_stmt (*input_line_pointer))
+	    input_line_pointer++;
 	  break;
 	}
 
@@ -1325,7 +1327,6 @@  operand (expressionS *expressionP, enum expr_mode mode)
       /* In MRI mode, this is a floating point constant represented
 	 using hexadecimal digits.  */
 
-      ++input_line_pointer;
       integer_constant (16, expressionP);
       break;