diff options
| author | Alan Modra <amodra@gmail.com> | 2019-02-20 08:21:24 +1030 |
|---|---|---|
| committer | Alan Modra <amodra@gmail.com> | 2019-02-20 11:50:07 +1030 |
| commit | 8abac8031ed369a2734b1cdb7df28a39a54b4b49 (patch) | |
| tree | e6a6f1ce759adb9afb1f515aa9347d06541b0f16 /bfd/archive64.c | |
| parent | 7ae39e2d406dbec568c5ffd462119037b994fdf9 (diff) | |
| download | fsf-binutils-gdb-8abac8031ed369a2734b1cdb7df28a39a54b4b49.zip fsf-binutils-gdb-8abac8031ed369a2734b1cdb7df28a39a54b4b49.tar.gz fsf-binutils-gdb-8abac8031ed369a2734b1cdb7df28a39a54b4b49.tar.bz2 | |
PR24236, Heap buffer overflow in _bfd_archive_64_bit_slurp_armap
PR 24236
* archive64.c (_bfd_archive_64_bit_slurp_armap): Move code adding
sentinel NUL to string buffer nearer to loop where it is used.
Don't go past sentinel when scanning strings, and don't write
NUL again.
* archive.c (do_slurp_coff_armap): Simplify string handling to
archive64.c style.
Diffstat (limited to 'bfd/archive64.c')
| -rw-r--r-- | bfd/archive64.c | 10 |
1 files changed, 5 insertions, 5 deletions
diff --git a/bfd/archive64.c b/bfd/archive64.c index 312bf82..42f6ed9 100644 --- a/bfd/archive64.c +++ b/bfd/archive64.c @@ -100,8 +100,6 @@ _bfd_archive_64_bit_slurp_armap (bfd *abfd) return FALSE; carsyms = ardata->symdefs; stringbase = ((char *) ardata->symdefs) + carsym_size; - stringbase[stringsize] = 0; - stringend = stringbase + stringsize; raw_armap = (bfd_byte *) bfd_alloc (abfd, ptrsize); if (raw_armap == NULL) @@ -115,15 +113,17 @@ _bfd_archive_64_bit_slurp_armap (bfd *abfd) goto release_raw_armap; } + stringend = stringbase + stringsize; + *stringend = 0; for (i = 0; i < nsymz; i++) { carsyms->file_offset = bfd_getb64 (raw_armap + i * 8); carsyms->name = stringbase; - if (stringbase < stringend) - stringbase += strlen (stringbase) + 1; + stringbase += strlen (stringbase); + if (stringbase != stringend) + ++stringbase; ++carsyms; } - *stringbase = '\0'; ardata->symdef_count = nsymz; ardata->first_file_filepos = bfd_tell (abfd); |