diff options
| author | Nick Clifton <nickc@redhat.com> | 2014-11-12 22:39:58 +0000 |
|---|---|---|
| committer | Nick Clifton <nickc@redhat.com> | 2014-11-12 22:39:58 +0000 |
| commit | f41e4712a7b7ac60f181e7dfc984ca35c222f0d7 (patch) | |
| tree | 6ac324979fd61983fb6a27dccf9fe306725789fa /binutils/rdcoff.c | |
| parent | 40e91bc71f7993f2064cec4ffd007f2c814a1b29 (diff) | |
| download | fsf-binutils-gdb-f41e4712a7b7ac60f181e7dfc984ca35c222f0d7.zip fsf-binutils-gdb-f41e4712a7b7ac60f181e7dfc984ca35c222f0d7.tar.gz fsf-binutils-gdb-f41e4712a7b7ac60f181e7dfc984ca35c222f0d7.tar.bz2 | |
Fix more memory faults uncovered by fuzzing various executables.
PR binutils/17512
* dwarf.c (read_and_display_attr_value): Check that we do not read
past end.
(display_debug_pubnames_worker): Add range checks.
(process_debug_info): Check for invalid pointer sizes.
(display_loc_list): Likewise.
(display_loc_list_dwo): Likewise.
(display_debug_ranges): Likewise.
(display_debug_aranges): Check for invalid address size.
(read_cie): Add range checks. Replace call strchr with while loop.
* objdump.c (dump_dwarf): Replace abort with a warning message.
(print_section_stabs): Improve range checks.
* rdcoff.c (coff_get_slot): Use long for indx parameter type.
Add check for an excesively large index.
* rddbg.c (read_section_stabs_debugging_info): Zero terminate the
string table. Avoid walking off the end of the stabs data.
* stabs.c (parse_stab_string): Add check for a NULL name.
PR binutils/17512
* coffcode.h (coff_slurp_line_table): Set the line number of
corrupt entries to -1.
(coff_slurp_symbol_table): Alway initialise the value of the
symbol.
* coffgen.c (coff_print_symbol): Check that the combined pointer
is valid.
(coff_print_symbol): Do not print negative line numbers.
* peXXigen.c (pe_print_idata): Add range checking displaying
member names.
Diffstat (limited to 'binutils/rdcoff.c')
| -rw-r--r-- | binutils/rdcoff.c | 9 |
1 files changed, 7 insertions, 2 deletions
diff --git a/binutils/rdcoff.c b/binutils/rdcoff.c index 859aefe..6785136 100644 --- a/binutils/rdcoff.c +++ b/binutils/rdcoff.c @@ -83,7 +83,7 @@ struct coff_types debug_type basic[T_MAX + 1]; }; -static debug_type *coff_get_slot (struct coff_types *, int); +static debug_type *coff_get_slot (struct coff_types *, long); static debug_type parse_coff_type (bfd *, struct coff_symbols *, struct coff_types *, long, int, union internal_auxent *, bfd_boolean, void *); @@ -104,12 +104,17 @@ static bfd_boolean external_coff_symbol_p (int sym_class); /* Return the slot for a type. */ static debug_type * -coff_get_slot (struct coff_types *types, int indx) +coff_get_slot (struct coff_types *types, long indx) { struct coff_slots **pps; pps = &types->slots; + /* PR 17512: file: 078-18333-0.001:0.1. + FIXME: The value of 1000 is a guess. Maybe a better heuristic is needed. */ + if (indx / COFF_SLOTS > 1000) + fatal (_("Excessively large slot index: %lx"), indx); + while (indx >= COFF_SLOTS) { if (*pps == NULL) |