diff options
| author | Nick Clifton <nickc@redhat.com> | 2014-11-18 10:07:11 +0000 |
|---|---|---|
| committer | Nick Clifton <nickc@redhat.com> | 2014-11-18 10:07:11 +0000 |
| commit | 0eff716535f3e8f501d6b438f7f796b70a0b9f98 (patch) | |
| tree | 8b7a2dc8ccc4db0997b3cd3a5a17f61189e3d685 /binutils | |
| parent | 25a0334e39963239f03555efe7e933558cc897e0 (diff) | |
| download | fsf-binutils-gdb-0eff716535f3e8f501d6b438f7f796b70a0b9f98.zip fsf-binutils-gdb-0eff716535f3e8f501d6b438f7f796b70a0b9f98.tar.gz fsf-binutils-gdb-0eff716535f3e8f501d6b438f7f796b70a0b9f98.tar.bz2 | |
Fix memort access problems exposed by fuzzed binaries.
PR binutils/17531
* readelf.c (get_unwind_section_word): Skip reloc processing if
there are no relocs associated with the section.
(decode_tic6x_unwind_bytecode): Warn and return if the stack
pointer adjustment falls off the end of the buffer.
Diffstat (limited to 'binutils')
| -rw-r--r-- | binutils/ChangeLog | 8 | ||||
| -rw-r--r-- | binutils/readelf.c | 16 |
2 files changed, 23 insertions, 1 deletions
diff --git a/binutils/ChangeLog b/binutils/ChangeLog index bba4c98..3b82059 100644 --- a/binutils/ChangeLog +++ b/binutils/ChangeLog @@ -1,3 +1,11 @@ +2014-11-18 Nick Clifton <nickc@redhat.com> + + PR binutils/17531 + * readelf.c (get_unwind_section_word): Skip reloc processing if + there are no relocs associated with the section. + (decode_tic6x_unwind_bytecode): Warn and return if the stack + pointer adjustment falls off the end of the buffer. + 2014-11-14 Nick Clifton <nickc@redhat.com> PR binutils/17512 diff --git a/binutils/readelf.c b/binutils/readelf.c index 964dfc6..6cead83 100644 --- a/binutils/readelf.c +++ b/binutils/readelf.c @@ -7089,6 +7089,13 @@ get_unwind_section_word (struct arm_unw_aux_info * aux, /* Get the word at the required offset. */ word = byte_get (arm_sec->data + word_offset, 4); + /* PR 17531: file: id:000001,src:001266+003044,op:splice,rep:128. */ + if (arm_sec->rela == NULL) + { + * wordp = word; + return TRUE; + } + /* Look through the relocs to find the one that applies to the provided offset. */ wrapped = FALSE; for (rp = arm_sec->next_rela; rp != arm_sec->rela + arm_sec->nrelas; rp++) @@ -7583,7 +7590,14 @@ decode_tic6x_unwind_bytecode (struct arm_unw_aux_info *aux, if ((buf[i] & 0x80) == 0) break; } - assert (i < sizeof (buf)); + /* PR 17531: file: id:000001,src:001906+004739,op:splice,rep:2. */ + if (i == sizeof (buf)) + { + printf ("<corrupt sp adjust>\n"); + warn (_("Corrupt stack pointer adjustment detected\n")); + return; + } + offset = read_uleb128 (buf, &len, buf + i + 1); assert (len == i + 1); offset = offset * 8 + 0x408; |