Segfault in x86 disassembler

[radare]

The killer sequence of bytes is: "\xff\x8c\xf9\xff\xff\x9b\xf9"

You can reproduce the crash with this program:

#include <stdio.h>
#include <capstone.h>

int main() {
        int i, n, ret;
        csh handle;
        cs_insn *insn;

        ret = cs_open (CS_ARCH_X86, CS_MODE_32, &handle);
        if (ret) {
                printf ("Failed\n");
                return 1;
        }
        n = cs_disasm_dyn (handle, "\xff\x8c\xf9\xff\xff\x9b\xf9", 7, 0, 0, &insn);
        if (n>0)
        for (i=0; i<n; i++) {
                printf ("%d -> (sz=%d) : %s %s\n", i,
                        insn[i].size,
                        insn[i].mnemonic,
                        insn[i].op_str);
        }
        cs_close (handle);
        return 0;
}

backtrace:

(lldb) bt
* thread #1: tid = 0x5e686, 0x00007fff908a0866 libsystem_kernel.dylib`__pthread_kill + 10, queue = 'com.apple.main-thread, stop reason = signal SIGABRT
    frame #0: 0x00007fff908a0866 libsystem_kernel.dylib`__pthread_kill + 10
    frame #1: 0x00007fff90cd235c libsystem_pthread.dylib`pthread_kill + 92
    frame #2: 0x00007fff9097fbba libsystem_c.dylib`abort + 125
    frame #3: 0x00007fff9097fd31 libsystem_c.dylib`abort_report_np + 181
    frame #4: 0x00007fff909a38c5 libsystem_c.dylib`__chk_fail + 48
    frame #5: 0x00007fff909a3895 libsystem_c.dylib`__chk_fail_overflow + 16
    frame #6: 0x00007fff909a3ae4 libsystem_c.dylib`__strcpy_chk + 83
    frame #7: 0x000000010000d77d a.out`X86_Intel_printInst [inlined] get_first_op(buffer=<unavailable>) + 3101 at X86IntelInstPrinter.c:178
    frame #8: 0x000000010000d718 a.out`X86_Intel_printInst(MI=0x00007fff909a3895, O=<unavailable>, Info=<unavailable>) + 3000 at X86IntelInstPrinter.c:208
    frame #9: 0x0000000100001f45 a.out`cs_disasm_dyn(ud=4300224704, buffer=0x0000000100049378, size=<unavailable>, offset=0, count=<unavailable>, insn=0x00007fff5fbffb60) + 725 at cs.c:270
    frame #10: 0x000000010000150d a.out`main + 125
    frame #11: 0x00007fff9630a5fd libdyld.dylib`start + 1
(lldb)
frame #7: 0x000000010000d77d a.out`X86_Intel_printInst [inlined] get_first_op(buffer=<unavailable>) + 3101 at X86IntelInstPrinter.c:178
   175              memcpy(firstop, tab + 1, comma - tab - 1);
   176              firstop[comma - tab - 1] = '\0';
   177          } else
-> 178              strcpy(firstop, tab + 1);
   179      } else  // no op
   180          firstop[0] = '\0';
   181  }

[danghvu]

Fixed in f10be9b