From b3532bc13b8f5c6f2e34920e3bd51abaff588520 Mon Sep 17 00:00:00 2001
From: marxin <marxin@138bc75d-0d04-0410-961f-82ee72b054a4>
Date: Mon, 15 Aug 2016 11:16:50 +0000
Subject: Fix invalid memory access in gcc.c (driver/72765)

	PR driver/72765
	* gcc.c (do_spec_1): Call save_string with the right size.
	(save_string): Do an assert about string we copy.


git-svn-id: svn+ssh://gcc.gnu.org/svn/gcc/trunk@239475 138bc75d-0d04-0410-961f-82ee72b054a4
---
 gcc/ChangeLog | 6 ++++++
 gcc/gcc.c     | 6 ++++--
 2 files changed, 10 insertions(+), 2 deletions(-)

diff --git a/gcc/ChangeLog b/gcc/ChangeLog
index 2b5355d0f9f..dc7e8cbc451 100644
--- a/gcc/ChangeLog
+++ b/gcc/ChangeLog
@@ -1,3 +1,9 @@
+2016-08-15  Martin Liska  <mliska@suse.cz>
+
+	PR driver/72765
+	* gcc.c (do_spec_1): Call save_string with the right size.
+	(save_string): Do an assert about string we copy.
+
 2016-08-15  Richard Biener  <rguenther@suse.de>
 
 	* ree.c (rest_of_handle_ree): Remove redundant timevar push/pop.
diff --git a/gcc/gcc.c b/gcc/gcc.c
index 7460f6af148..d3e8c88ac68 100644
--- a/gcc/gcc.c
+++ b/gcc/gcc.c
@@ -5420,8 +5420,9 @@ do_spec_1 (const char *spec, int inswitch, const char *soft_matched_part)
 			if (files_differ)
 #endif
 			  {
-			    temp_filename = save_string (temp_filename,
-							 temp_filename_length + 1);
+			    temp_filename
+			      = save_string (temp_filename,
+					     temp_filename_length - 1);
 			    obstack_grow (&obstack, temp_filename,
 						    temp_filename_length);
 			    arg_going = 1;
@@ -8362,6 +8363,7 @@ save_string (const char *s, int len)
 {
   char *result = XNEWVEC (char, len + 1);
 
+  gcc_checking_assert (strlen (s) >= (unsigned int) len);
   memcpy (result, s, len);
   result[len] = 0;
   return result;
-- 
cgit v1.2.1