PR30657, gprof heap buffer overflow

PR 30657 * cg_arcs.c (cg_assemble): Sanity check find_call addresses. * i386.c (i386_find_call): Don't access past end of core_text_space. * aarch64.c (aarch64_find_call): Round up lowpc, round down highpc. * alpha.c (alpha_find_call): Likewise. * mips.c (mips_find_call): Likewise. * sparc.c (sparc_find_call): Likewise. * vax.c (vax_find_call): Sanity check core_text_space accesses.
author: Alan Modra <amodra@gmail.com> 2023-07-26 09:54:03 +0930
committer: Alan Modra <amodra@gmail.com> 2023-07-26 10:23:27 +0930
commit: 477c9f2ba26ccd77016f2c97941fc8b35e332e35 (patch)
tree: 7101fd32ce2079ad0dc7006ddf9d54251af2b320 /gprof/alpha.c
parent: eb14a8b4bfb767beebfb54d7911da4132b5c0f94 (diff)
download: binutils-477c9f2ba26ccd77016f2c97941fc8b35e332e35.zip
binutils-477c9f2ba26ccd77016f2c97941fc8b35e332e35.tar.gz
binutils-477c9f2ba26ccd77016f2c97941fc8b35e332e35.tar.bz2
1 files changed, 3 insertions, 1 deletions
diff --git a/gprof/alpha.c b/gprof/alpha.c
index d84cdf0..df714be 100644
--- a/gprof/alpha.c
+++ b/gprof/alpha.c
@@ -107,7 +107,9 @@ alpha_find_call (Sym *parent, bfd_vma p_lowpc, bfd_vma p_highpc)
   DBG (CALLDEBUG, printf (_("[find_call] %s: 0x%lx to 0x%lx\n"),
 			  parent->name, (unsigned long) p_lowpc,
 			  (unsigned long) p_highpc));
-  for (pc = (p_lowpc + 3) & ~(bfd_vma) 3; pc < p_highpc; pc += 4)
+  p_lowpc = (p_lowpc + 3) & ~3;
+  p_highpc &= ~3;
+  for (pc = p_lowpc; pc < p_highpc; pc += 4)
     {
       insn = bfd_get_32 (core_bfd, ((unsigned char *) core_text_space
 				    + pc - core_text_sect->vma));
author	Alan Modra <amodra@gmail.com>	2023-07-26 09:54:03 +0930
committer	Alan Modra <amodra@gmail.com>	2023-07-26 10:23:27 +0930
commit	477c9f2ba26ccd77016f2c97941fc8b35e332e35 (patch)
tree	7101fd32ce2079ad0dc7006ddf9d54251af2b320 /gprof/alpha.c
parent	eb14a8b4bfb767beebfb54d7911da4132b5c0f94 (diff)
download	binutils-477c9f2ba26ccd77016f2c97941fc8b35e332e35.zip binutils-477c9f2ba26ccd77016f2c97941fc8b35e332e35.tar.gz binutils-477c9f2ba26ccd77016f2c97941fc8b35e332e35.tar.bz2