diff options
| author | Nick Clifton <nickc@redhat.com> | 2015-02-06 11:12:02 +0000 |
|---|---|---|
| committer | Nick Clifton <nickc@redhat.com> | 2015-02-06 11:12:54 +0000 |
| commit | 5929c344f957f93253efa4c3495a996789d48ae7 (patch) | |
| tree | 58ccb0820dc7aa39ca8d4a9645d7219421d32f1f /bfd/peXXigen.c | |
| parent | 77f41761432a70930ea0a917a2f135b392af34f5 (diff) | |
| download | fsf-binutils-gdb-5929c344f957f93253efa4c3495a996789d48ae7.zip fsf-binutils-gdb-5929c344f957f93253efa4c3495a996789d48ae7.tar.gz fsf-binutils-gdb-5929c344f957f93253efa4c3495a996789d48ae7.tar.bz2 | |
Fixes illegal memory accesses triggereb by running a 32-bit binary version of objdump compiled on a 64-bit host.
PR binutils/17512
* dwarf.c (display_debug_frames): Fix range checks to work on
32-bit binaries complied on a 64-bit host.
* peXXigen.c (rsrc_print_resource_entries): Add range check for
addresses that wrap around the address space.
(rsrc_parse_entry): Likewise.
Diffstat (limited to 'bfd/peXXigen.c')
| -rw-r--r-- | bfd/peXXigen.c | 29 |
1 files changed, 19 insertions, 10 deletions
diff --git a/bfd/peXXigen.c b/bfd/peXXigen.c index 45f1937..9feab3b 100644 --- a/bfd/peXXigen.c +++ b/bfd/peXXigen.c @@ -2302,6 +2302,7 @@ rsrc_print_resource_entries (FILE * file, bfd_vma rva_bias) { unsigned long entry, addr, size; + bfd_byte * leaf; if (data + 8 >= regions->section_end) return regions->section_end + 1; @@ -2382,18 +2383,21 @@ rsrc_print_resource_entries (FILE * file, regions, rva_bias); } - if (regions->section_start + entry + 16 >= regions->section_end) + leaf = regions->section_start + entry; + + if (leaf + 16 >= regions->section_end + /* PR 17512: file: 055dff7e. */ + || leaf < regions->section_start) return regions->section_end + 1; fprintf (file, _("%03x %*.s Leaf: Addr: %#08lx, Size: %#08lx, Codepage: %d\n"), - (int) (entry), - indent, " ", - addr = (long) bfd_get_32 (abfd, regions->section_start + entry), - size = (long) bfd_get_32 (abfd, regions->section_start + entry + 4), - (int) bfd_get_32 (abfd, regions->section_start + entry + 8)); + (int) (entry), indent, " ", + addr = (long) bfd_get_32 (abfd, leaf), + size = (long) bfd_get_32 (abfd, leaf + 4), + (int) bfd_get_32 (abfd, leaf + 8)); /* Check that the reserved entry is 0. */ - if (bfd_get_32 (abfd, regions->section_start + entry + 12) != 0 + if (bfd_get_32 (abfd, leaf + 12) != 0 /* And that the data address/size is valid too. */ || (regions->section_start + (addr - rva_bias) + size > regions->section_end)) return regions->section_end + 1; @@ -3264,9 +3268,14 @@ rsrc_parse_entry (bfd * abfd, if (entry->value.leaf == NULL) return dataend; - addr = bfd_get_32 (abfd, datastart + val); - size = entry->value.leaf->size = bfd_get_32 (abfd, datastart + val + 4); - entry->value.leaf->codepage = bfd_get_32 (abfd, datastart + val + 8); + data = datastart + val; + if (data < datastart || data >= dataend) + return dataend; + + addr = bfd_get_32 (abfd, data); + size = entry->value.leaf->size = bfd_get_32 (abfd, data + 4); + entry->value.leaf->codepage = bfd_get_32 (abfd, data + 8); + /* FIXME: We assume that the reserved field (data + 12) is OK. */ entry->value.leaf->data = bfd_malloc (size); if (entry->value.leaf->data == NULL) |