https://gcc.gnu.org/bugzilla/show_bug.cgi?id=84831
Bug ID: 84831 Summary: Invalid memory read in parse_output_constraint Product: gcc Version: 8.0.1 Status: UNCONFIRMED Severity: normal Priority: P3 Component: middle-end Assignee: unassigned at gcc dot gnu.org Reporter: hjl.tools at gmail dot com Target Milestone: --- parse_output_constraint has /* Loop through the constraint string. */ for (p = constraint + 1; *p; p += CONSTRAINT_LEN (*p, p)) #define CONSTRAINT_LEN(c_,s_) insn_constraint_len (c_,s_) On x86, there are static inline size_t insn_constraint_len (char fc, const char *str ATTRIBUTE_UNUSED) { switch (fc) { case 'B': return 2; case 'T': return 2; case 'W': return 2; case 'Y': return 2; default: break; } return 1; } For asm volatile ("" : "+T,Y" (b)); parse_output_constraint doesn't check if p += CONSTRAINT_LEN (*p, p) is beyond the end of string.