[Bug binutils/11742] New: readelf.c: get_archive_member_name(): array subscript is above array bounds

[haubi at gentoo dot org]

Compiling binutils-2.20.1 on hppa-hpux using hp-gcc-4.4.3 with CFLAGS=-O3 tells
this warning, which is treated as error:
/binutils/readelf.c: In function 'get_archive_member_name':
/binutils/readelf.c:11200: error: array subscript is above array bounds

The code there in function get_archive_member_name() is:
11199   j = 0;
11200   while ((arch->arhdr.ar_name[j] != '/') && (j < 16))
11201     j++;
11202   arch->arhdr.ar_name[j] = '\0';

Why this is 'above aray bounds': When there is no '/' found in ar_name, 'j'
increments up to 15 - which is still lower than 16, thus 'j' is incremented to
16, and used again in next iteration in #11200 for reading.
Subsequently, 'j' is used for writing in #11202, which is beyond ar_name too.

The declaration of 'ar_name' in 'struct ar_hdr' is in include/aout/ar.h:
43 struct ar_hdr
44 {
45   char ar_name[16];             /* Name of this member.  */
46   char ar_date[12];             /* File mtime.  */

BTW: This code was committed to readelf.c in revision 1.439.

-- 
           Summary: readelf.c: get_archive_member_name(): array subscript is
                    above array bounds
           Product: binutils
           Version: 2.20
            Status: NEW
          Severity: normal
          Priority: P2
         Component: binutils
        AssignedTo: unassigned at sources dot redhat dot com
        ReportedBy: haubi at gentoo dot org
                CC: bug-binutils at gnu dot org
 GCC build triplet: hppa2.0w-hp-hpux11.31
  GCC host triplet: hppa2.0w-hp-hpux11.31
GCC target triplet: hppa2.0w-hp-hpux11.31


http://sourceware.org/bugzilla/show_bug.cgi?id=11742

------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.