aboutsummaryrefslogtreecommitdiff
path: root/bfd
diff options
context:
space:
mode:
authorAlan Modra <amodra@gmail.com>2019-11-19 11:38:36 +1030
committerAlan Modra <amodra@gmail.com>2019-11-19 12:31:22 +1030
commitf14080d440fab16dcb498c1a46864a5a1be37aaa (patch)
treeb5013d182ac1d7722342c1ce5fa4d93c6ce3fa02 /bfd
parentdf56ecde8aeed75693f49c9e290427ee5030b05c (diff)
downloadfsf-binutils-gdb-f14080d440fab16dcb498c1a46864a5a1be37aaa.zip
fsf-binutils-gdb-f14080d440fab16dcb498c1a46864a5a1be37aaa.tar.gz
fsf-binutils-gdb-f14080d440fab16dcb498c1a46864a5a1be37aaa.tar.bz2
PR25197, assertion fail coffgen.c
The testcase in this PR triggered "BFD_ASSERT (p2->is_sym)" by sneakily generating a C_FILE sym whose value pointed into auxents. The fix then is in the last changed line of this patch, to check p->is_sym as well as p->u.syment.n_sclass. The other changes fix various overflow checks that weren't as solid as they could be. PR 25197 * coffgen.c (coff_find_nearest_line_with_names): Check that C_FILE u.syment.n_value does point at another C_FILE sym and not into some auxent that happens to look like a C_FILE. Properly check for integer overflow and avoid possible pointer wrap-around. Simplify pr17512 checks.
Diffstat (limited to 'bfd')
-rw-r--r--bfd/ChangeLog9
-rw-r--r--bfd/coffgen.c25
2 files changed, 19 insertions, 15 deletions
diff --git a/bfd/ChangeLog b/bfd/ChangeLog
index d13d969..ffe527c 100644
--- a/bfd/ChangeLog
+++ b/bfd/ChangeLog
@@ -1,5 +1,14 @@
2019-11-19 Alan Modra <amodra@gmail.com>
+ PR 25197
+ * coffgen.c (coff_find_nearest_line_with_names): Check that C_FILE
+ u.syment.n_value does point at another C_FILE sym and not into
+ some auxent that happens to look like a C_FILE. Properly check
+ for integer overflow and avoid possible pointer wrap-around.
+ Simplify pr17512 checks.
+
+2019-11-19 Alan Modra <amodra@gmail.com>
+
PR 25200
* reloc.c (bfd_default_reloc_type_lookup): Don't BFD_FAIL.
* elf.c (_bfd_elf_validate_reloc): Don't segfault on NULL howto.
diff --git a/bfd/coffgen.c b/bfd/coffgen.c
index ba7bb5e..7f26e18 100644
--- a/bfd/coffgen.c
+++ b/bfd/coffgen.c
@@ -1814,10 +1814,11 @@ coff_get_normalized_symtab (bfd *abfd)
if (! _bfd_coff_get_external_symbols (abfd))
return NULL;
- size = obj_raw_syment_count (abfd) * sizeof (combined_entry_type);
+ size = obj_raw_syment_count (abfd);
/* Check for integer overflow. */
- if (size < obj_raw_syment_count (abfd))
+ if (size > (bfd_size_type) -1 / sizeof (combined_entry_type))
return NULL;
+ size *= sizeof (combined_entry_type);
internal = (combined_entry_type *) bfd_zalloc (abfd, size);
if (internal == NULL && size != 0)
return NULL;
@@ -1844,29 +1845,20 @@ coff_get_normalized_symtab (bfd *abfd)
symbol_ptr = internal_ptr;
internal_ptr->is_sym = TRUE;
- /* PR 17512: file: 1353-1166-0.004. */
- if (symbol_ptr->u.syment.n_sclass == C_FILE
- && symbol_ptr->u.syment.n_numaux > 0
- && raw_src + symesz + symbol_ptr->u.syment.n_numaux
- * symesz > raw_end)
- {
- bfd_release (abfd, internal);
- return NULL;
- }
-
for (i = 0;
i < symbol_ptr->u.syment.n_numaux;
i++)
{
internal_ptr++;
+ raw_src += symesz;
+
/* PR 17512: Prevent buffer overrun. */
- if (internal_ptr >= internal_end)
+ if (raw_src >= raw_end || internal_ptr >= internal_end)
{
bfd_release (abfd, internal);
return NULL;
}
- raw_src += symesz;
bfd_coff_swap_aux_in (abfd, (void *) raw_src,
symbol_ptr->u.syment.n_type,
symbol_ptr->u.syment.n_sclass,
@@ -2408,13 +2400,16 @@ coff_find_nearest_line_with_names (bfd *abfd,
maxdiff = offset + sec_vma - p2->u.syment.n_value;
}
+ if (p->u.syment.n_value >= cof->raw_syment_count)
+ break;
+
/* Avoid endless loops on erroneous files by ensuring that
we always move forward in the file. */
if (p >= cof->raw_syments + p->u.syment.n_value)
break;
p = cof->raw_syments + p->u.syment.n_value;
- if (p > pend || p->u.syment.n_sclass != C_FILE)
+ if (!p->is_sym || p->u.syment.n_sclass != C_FILE)
break;
}
}