https://gcc.gnu.org/bugzilla/show_bug.cgi?id=89094
Bug ID: 89094
Summary: collect2.c:main c_argv buffer is undersized when -EL,
-EB or -B used in COLLECT_GCC_OPTIONS
Product: gcc
Version: 9.0
Status: UNCONFIRMED
Severity: normal
Priority: P3
Component: other
Assignee: unassigned at gcc dot gnu.org
Reporter: remi at machet dot us
Target Milestone: ---
collect2.c main() uses an array to store filtered arguments called c_argv. The
size of that array is based on num_c_args which account for 15 entries plus
command line arguments and one entry per -qm or -qf argument inside
COLLECT_GCC_OPTIONS:
/* Now pick up any flags we want early from COLLECT_GCC_OPTIONS
The LTO options are passed here as are other options that might
be unsuitable for ld (e.g. -save-temps). */
p = getenv ("COLLECT_GCC_OPTIONS");
while (p && *p)
{
const char *q = extract_string (&p);
if (*q == '-' && (q[1] == 'm' || q[1] == 'f'))
num_c_args++;
...
But later, when the array is filled, more options not accounted for above are
added to the array if found in COLLECT_GCC_OPTIONS: -EL, -EB, -B<path> and 2
entries for '-B <path>':
if (*q == '-' && (q[1] == 'm' || q[1] == 'f'))
*c_ptr++ = xstrdup (q);
if (strcmp (q, "-EL") == 0 || strcmp (q, "-EB") == 0)
*c_ptr++ = xstrdup (q);
if (strcmp (q, "-shared") == 0)
shared_obj = 1;
if (strcmp (q, "-static") == 0)
static_obj = 1;
if (*q == '-' && q[1] == 'B')
{
*c_ptr++ = xstrdup (q);
if (q[2] == 0)
{
q = extract_string (&p);
*c_ptr++ = xstrdup (q);
}
}
Any of the extra options, if present, is causing c_argv to overflow.
