From 71f646f2b3fc6e273fd17b5fdc9ba6bae242b330 Mon Sep 17 00:00:00 2001
From: Nick Clifton <nickc@redhat.com>
Date: Wed, 15 Mar 2023 13:06:23 +0000
Subject: Fix an illegal memory access when disassembling a corrupt MeP file.

  PR 30231
  * mep.opc (mep_print_insn): Check for an out of range index.
---
 cpu/ChangeLog     |  5 +++++
 cpu/mep.opc       | 14 ++++++++++++++
 opcodes/ChangeLog |  5 +++++
 opcodes/mep-dis.c | 14 ++++++++++++++
 4 files changed, 38 insertions(+)

diff --git a/cpu/ChangeLog b/cpu/ChangeLog
index bcb92e5cc56..23c89c99eab 100644
--- a/cpu/ChangeLog
+++ b/cpu/ChangeLog
@@ -1,3 +1,8 @@
+2023-03-15  Nick Clifton  <nickc@redhat.com>
+
+	PR 30231
+	* mep.opc (mep_print_insn): Check for an out of range index.
+
 2022-12-31  Nick Clifton  <nickc@redhat.com>
 
 	* 2.40 branch created.
diff --git a/cpu/mep.opc b/cpu/mep.opc
index 75ae8308599..6b264ccb73e 100644
--- a/cpu/mep.opc
+++ b/cpu/mep.opc
@@ -1453,6 +1453,20 @@ mep_print_insn (CGEN_CPU_DESC cd, bfd_vma pc, disassemble_info *info)
 	  mep_config_index = abfd->tdata.elf_obj_data->elf_header->e_flags & EF_MEP_INDEX_MASK;
 	  /* This instantly redefines MEP_CONFIG, MEP_OMASK, .... MEP_VLIW64 */
 
+	  /* mep_config_map is a variable sized array, so we do not know how big it is.
+	     The only safe way to check the index therefore is to iterate over the array.
+	     We do know that the last entry is all null.  */
+	  int i;
+	  for (i = 0; i <= mep_config_index; i++)
+	    if (mep_config_map[i].name == NULL)
+	      break;
+	  
+	  if (i < mep_config_index)
+	    {
+	      opcodes_error_handler (_("illegal MEP INDEX setting '%x' in ELF header e_flags field"), mep_config_index);
+	      mep_config_index = 0;
+	    }
+	  
 	  cop_type = abfd->tdata.elf_obj_data->elf_header->e_flags & EF_MEP_COP_MASK;
 	  if (cop_type == EF_MEP_COP_IVC2)
 	    ivc2 = 1;
diff --git a/opcodes/ChangeLog b/opcodes/ChangeLog
index fb6612abfa6..e8a224bc424 100644
--- a/opcodes/ChangeLog
+++ b/opcodes/ChangeLog
@@ -1,3 +1,8 @@
+2023-03-15  Nick Clifton  <nickc@redhat.com>
+
+	PR 30231
+	* mep-dis.c: Regenerate.
+
 2023-03-15  Nick Clifton  <nickc@redhat.com>
 
 	PR 30230
diff --git a/opcodes/mep-dis.c b/opcodes/mep-dis.c
index 3fe827e75de..72c6c101bfd 100644
--- a/opcodes/mep-dis.c
+++ b/opcodes/mep-dis.c
@@ -649,6 +649,20 @@ mep_print_insn (CGEN_CPU_DESC cd, bfd_vma pc, disassemble_info *info)
 	  mep_config_index = abfd->tdata.elf_obj_data->elf_header->e_flags & EF_MEP_INDEX_MASK;
 	  /* This instantly redefines MEP_CONFIG, MEP_OMASK, .... MEP_VLIW64 */
 
+	  /* mep_config_map is a variable sized array, so we do not know how big it is.
+	     The only safe way to check the index therefore is to iterate over the array.
+	     We do know that the last entry is all null.  */
+	  int i;
+	  for (i = 0; i <= mep_config_index; i++)
+	    if (mep_config_map[i].name == NULL)
+	      break;
+	  
+	  if (i < mep_config_index)
+	    {
+	      opcodes_error_handler (_("illegal MEP INDEX setting '%x' in ELF header e_flags field"), mep_config_index);
+	      mep_config_index = 0;
+	    }
+	  
 	  cop_type = abfd->tdata.elf_obj_data->elf_header->e_flags & EF_MEP_COP_MASK;
 	  if (cop_type == EF_MEP_COP_IVC2)
 	    ivc2 = 1;
-- 
cgit v1.2.1