From f41e4712a7b7ac60f181e7dfc984ca35c222f0d7 Mon Sep 17 00:00:00 2001 From: Nick Clifton Date: Wed, 12 Nov 2014 22:39:58 +0000 Subject: Fix more memory faults uncovered by fuzzing various executables. PR binutils/17512 * dwarf.c (read_and_display_attr_value): Check that we do not read past end. (display_debug_pubnames_worker): Add range checks. (process_debug_info): Check for invalid pointer sizes. (display_loc_list): Likewise. (display_loc_list_dwo): Likewise. (display_debug_ranges): Likewise. (display_debug_aranges): Check for invalid address size. (read_cie): Add range checks. Replace call strchr with while loop. * objdump.c (dump_dwarf): Replace abort with a warning message. (print_section_stabs): Improve range checks. * rdcoff.c (coff_get_slot): Use long for indx parameter type. Add check for an excesively large index. * rddbg.c (read_section_stabs_debugging_info): Zero terminate the string table. Avoid walking off the end of the stabs data. * stabs.c (parse_stab_string): Add check for a NULL name. PR binutils/17512 * coffcode.h (coff_slurp_line_table): Set the line number of corrupt entries to -1. (coff_slurp_symbol_table): Alway initialise the value of the symbol. * coffgen.c (coff_print_symbol): Check that the combined pointer is valid. (coff_print_symbol): Do not print negative line numbers. * peXXigen.c (pe_print_idata): Add range checking displaying member names. --- bfd/peXXigen.c | 25 ++++++++++++++++--------- 1 file changed, 16 insertions(+), 9 deletions(-) (limited to 'bfd/peXXigen.c') diff --git a/bfd/peXXigen.c b/bfd/peXXigen.c index 725e9f6..13e39e4 100644 --- a/bfd/peXXigen.c +++ b/bfd/peXXigen.c @@ -1481,27 +1481,31 @@ pe_print_idata (bfd * abfd, void * vfile) #ifdef COFF_WITH_pex64 for (j = 0; idx + j + 8 <= datasize; j += 8) { + bfd_size_type amt; unsigned long member = bfd_get_32 (abfd, data + idx + j); unsigned long member_high = bfd_get_32 (abfd, data + idx + j + 4); if (!member && !member_high) break; + amt = member - adj; + if (HighBitSet (member_high)) fprintf (file, "\t%lx%08lx\t %4lx%08lx ", member_high, member, WithoutHighBit (member_high), member); /* PR binutils/17512: Handle corrupt PE data. */ - else if ((bfd_vma) member - adj + 2 >= datasize) + else if (amt + 2 >= datasize) fprintf (file, _("\t"), member); else { int ordinal; char *member_name; - ordinal = bfd_get_16 (abfd, data + member - adj); - member_name = (char *) data + member - adj + 2; - fprintf (file, "\t%04lx\t %4d %s",member, ordinal, member_name); + ordinal = bfd_get_16 (abfd, data + amt); + member_name = (char *) data + amt + 2; + fprintf (file, "\t%04lx\t %4d %.*s",member, ordinal, + (int) (datasize - (amt + 2)), member_name); } /* If the time stamp is not zero, the import address @@ -1517,27 +1521,30 @@ pe_print_idata (bfd * abfd, void * vfile) #else for (j = 0; idx + j + 4 <= datasize; j += 4) { + bfd_size_type amt; unsigned long member = bfd_get_32 (abfd, data + idx + j); /* Print single IMAGE_IMPORT_BY_NAME vector. */ if (member == 0) break; + amt = member - adj; if (HighBitSet (member)) fprintf (file, "\t%04lx\t %4lu ", member, WithoutHighBit (member)); /* PR binutils/17512: Handle corrupt PE data. */ - else if ((bfd_vma) member - adj + 2 >= datasize) + else if (amt + 2 >= datasize) fprintf (file, _("\t"), member); else { int ordinal; char *member_name; - ordinal = bfd_get_16 (abfd, data + member - adj); - member_name = (char *) data + member - adj + 2; - fprintf (file, "\t%04lx\t %4d %s", - member, ordinal, member_name); + ordinal = bfd_get_16 (abfd, data + amt); + member_name = (char *) data + amt + 2; + fprintf (file, "\t%04lx\t %4d %.*s", + member, ordinal, + (int) (datasize - (amt + 2)), member_name); } /* If the time stamp is not zero, the import address -- cgit v1.1