From d1e304bc27b737e0e7daf0029dd5f1e91a4898ed Mon Sep 17 00:00:00 2001
From: Nick Clifton <nickc@redhat.com>
Date: Mon, 28 Oct 2019 15:44:23 +0000
Subject: [PATCH] Stop potential illegal memory access in the NS32K
 disassembler.

	* ns32k-dis.c (bit_extract): Add sanitiy check of parameters.
	(bit_extract_simple): Likewise.
	(bit_copy): Likewise.
	(pirnt_insn_ns32k): Ensure that uninitialised elements in the
	index_offset array are not accessed.
---
 opcodes/ChangeLog   |  8 ++++++++
 opcodes/ns32k-dis.c | 10 +++++++++-
 2 files changed, 17 insertions(+), 1 deletion(-)

diff --git a/opcodes/ChangeLog b/opcodes/ChangeLog
index 66df91109e..fe0f2402d7 100644
--- a/opcodes/ChangeLog
+++ b/opcodes/ChangeLog
@@ -1,3 +1,11 @@
+2019-10-28  Nick Clifton  <nickc@redhat.com>
+
+	* ns32k-dis.c (bit_extract): Add sanitiy check of parameters.
+	(bit_extract_simple): Likewise.
+	(bit_copy): Likewise.
+	(pirnt_insn_ns32k): Ensure that uninitialised elements in the
+	index_offset array are not accessed.
+
 2019-10-28  Nick Clifton  <nickc@redhat.com>
 
 	* xgate-dis.c (print_insn): Fix decoding of the XGATE_OP_DYA
diff --git a/opcodes/ns32k-dis.c b/opcodes/ns32k-dis.c
index 1fffbd8d11..22a9389ecf 100644
--- a/opcodes/ns32k-dis.c
+++ b/opcodes/ns32k-dis.c
@@ -265,6 +265,8 @@ bit_extract (bfd_byte *buffer, int offset, int count)
   int result;
   int bit;
 
+  if (offset < 0 || count < 0)
+    return 0;
   buffer += offset >> 3;
   offset &= 7;
   bit = 1;
@@ -292,6 +294,8 @@ bit_extract_simple (bfd_byte *buffer, int offset, int count)
   int result;
   int bit;
 
+  if (offset < 0 || count < 0)
+    return 0;
   buffer += offset >> 3;
   offset &= 7;
   bit = 1;
@@ -313,6 +317,8 @@ bit_extract_simple (bfd_byte *buffer, int offset, int count)
 static void
 bit_copy (bfd_byte *buffer, int offset, int count, char *to)
 {
+  if (offset < 0 || count < 0)
+    return;
   for (; count > 8; count -= 8, to++, offset += 8)
     *to = bit_extract (buffer, offset, 8);
   *to = bit_extract (buffer, offset, count);
@@ -836,8 +842,10 @@ print_insn_ns32k (bfd_vma memaddr, disassemble_info *info)
 				    memaddr, arg_bufs[argnum],
 				    index_offset[whicharg]);
 	  d++;
-	  whicharg++;
+	  if (whicharg++ >= 1)
+	    break;
 	}
+
       for (argnum = 0; argnum <= maxarg; argnum++)
 	{
 	  bfd_vma addr;
-- 
2.34.1