Fix use after free in cgen instruction lookup

* cgen-opc.c (cgen_lookup_insn): Delete buf and base_insn temps. Use insn_bytes_value and insn_int_value directly instead. Don't free allocated memory until function exit.
2017-02-11 17:17:59 +10:30 · 2017-02-11 17:17:59 +10:30 · 54064fdb79
parent 09ec4d3122
commit 54064fdb79
2 changed files with 20 additions and 15 deletions
--- a/opcodes/ChangeLog
+++ b/opcodes/ChangeLog
@ -1,3 +1,10 @@
 2017-02-11  Stafford Horne  <shorne@gmail.com>
 	    Alan Modra  <amodra@gmail.com>
 	* cgen-opc.c (cgen_lookup_insn): Delete buf and base_insn temps.
 	Use insn_bytes_value and insn_int_value directly instead.  Don't
 	free allocated memory until function exit.
 2017-02-10  Nicholas Piggin  <npiggin@gmail.com>
 	* ppc-opc.c (powerpc_opcodes) <scv, rfscv>: New mnemonics.
--- a/opcodes/cgen-opc.c
+++ b/opcodes/cgen-opc.c
@ -452,18 +452,14 @@ cgen_lookup_insn (CGEN_CPU_DESC cd,
 		  CGEN_FIELDS *fields,
 		  int alias_p)
 {
  unsigned char *buf;
  CGEN_INSN_INT base_insn;
  CGEN_EXTRACT_INFO ex_info;
  CGEN_EXTRACT_INFO *info;
  if (cd->int_insn_p)
    {
      info = NULL;
-      buf = (unsigned char *) xmalloc (cd->max_insn_bitsize / 8);
+      insn_bytes_value = (unsigned char *) xmalloc (cd->max_insn_bitsize / 8);
-      cgen_put_insn_value (cd, buf, length, insn_int_value);
+      cgen_put_insn_value (cd, insn_bytes_value, length, insn_int_value);
      base_insn = insn_int_value;
      free (buf);
    }
  else
    {
@ -471,8 +467,7 @@ cgen_lookup_insn (CGEN_CPU_DESC cd,
      ex_info.dis_info = NULL;
      ex_info.insn_bytes = insn_bytes_value;
      ex_info.valid = -1;
-      buf = insn_bytes_value;
+      insn_int_value = cgen_get_insn_value (cd, insn_bytes_value, length);
      base_insn = cgen_get_insn_value (cd, buf, length);
    }
  if (!insn)
@ -482,7 +477,8 @@ cgen_lookup_insn (CGEN_CPU_DESC cd,
      /* The instructions are stored in hash lists.
 	 Pick the first one and keep trying until we find the right one.  */
-      insn_list = cgen_dis_lookup_insn (cd, (char *) buf, base_insn);
+      insn_list = cgen_dis_lookup_insn (cd, (char *) insn_bytes_value,
 					insn_int_value);
      while (insn_list != NULL)
 	{
 	  insn = insn_list->insn;
@ -494,18 +490,18 @@ cgen_lookup_insn (CGEN_CPU_DESC cd,
 	      /* Basic bit mask must be correct.  */
 	      /* ??? May wish to allow target to defer this check until the
 		 extract handler.  */
-	      if ((base_insn & CGEN_INSN_BASE_MASK (insn))
+	      if ((insn_int_value & CGEN_INSN_BASE_MASK (insn))
 		  == CGEN_INSN_BASE_VALUE (insn))
 		{
 		  /* ??? 0 is passed for `pc' */
 		  int elength = CGEN_EXTRACT_FN (cd, insn)
-		    (cd, insn, info, base_insn, fields, (bfd_vma) 0);
+		    (cd, insn, info, insn_int_value, fields, (bfd_vma) 0);
 		  if (elength > 0)
 		    {
 		      /* sanity check */
 		      if (length != 0 && length != elength)
 			abort ();
-		      return insn;
+		      break;
 		    }
 		}
 	    }
@ -525,15 +521,17 @@ cgen_lookup_insn (CGEN_CPU_DESC cd,
      /* ??? 0 is passed for `pc' */
      length = CGEN_EXTRACT_FN (cd, insn)
-	(cd, insn, info, base_insn, fields, (bfd_vma) 0);
+	(cd, insn, info, insn_int_value, fields, (bfd_vma) 0);
      /* Sanity check: must succeed.
 	 Could relax this later if it ever proves useful.  */
      if (length == 0)
 	abort ();
      return insn;
    }
-  return NULL;
+  if (cd->int_insn_p)
    free (insn_bytes_value);
  return insn;
 }
 /* Fill in the operand instances used by INSN whose operands are FIELDS.