https://gcc.gnu.org/bugzilla/show_bug.cgi?id=84831
Bug ID: 84831
Summary: Invalid memory read in parse_output_constraint
Product: gcc
Version: 8.0.1
Status: UNCONFIRMED
Severity: normal
Priority: P3
Component: middle-end
Assignee: unassigned at gcc dot gnu.org
Reporter: hjl.tools at gmail dot com
Target Milestone: ---
parse_output_constraint has
/* Loop through the constraint string. */
for (p = constraint + 1; *p; p += CONSTRAINT_LEN (*p, p))
#define CONSTRAINT_LEN(c_,s_) insn_constraint_len (c_,s_)
On x86, there are
static inline size_t
insn_constraint_len (char fc, const char *str ATTRIBUTE_UNUSED)
{
switch (fc)
{
case 'B': return 2;
case 'T': return 2;
case 'W': return 2;
case 'Y': return 2;
default: break;
}
return 1;
}
For
asm volatile ("" : "+T,Y" (b));
parse_output_constraint doesn't check if p += CONSTRAINT_LEN (*p, p)
is beyond the end of string.
