diff options
Diffstat (limited to 'binutils')
| -rw-r--r-- | binutils/objcopy.c | 9 | ||||
| -rw-r--r-- | binutils/readelf.c | 60 |
2 files changed, 25 insertions, 44 deletions
diff --git a/binutils/objcopy.c b/binutils/objcopy.c index 8c90773..2ca04e8 100644 --- a/binutils/objcopy.c +++ b/binutils/objcopy.c @@ -2529,7 +2529,6 @@ merge_gnu_build_notes (bfd * abfd, /* Reconstruct the ELF notes. */ bfd_byte * new_contents; - bfd_byte * old; bfd_byte * new; bfd_vma prev_start = 0; bfd_vma prev_end = 0; @@ -2537,12 +2536,8 @@ merge_gnu_build_notes (bfd * abfd, /* Not sure how, but the notes might grow in size. (eg see PR 1774507). Allow for this here. */ new = new_contents = xmalloc (size * 2); - for (pnote = pnotes, old = contents; - pnote < pnotes_end; - pnote ++) + for (pnote = pnotes; pnote < pnotes_end; pnote ++) { - bfd_size_type note_size = 12 + pnote->padded_namesz + pnote->note.descsz; - if (! is_deleted_note (pnote)) { /* Create the note, potentially using the @@ -2585,8 +2580,6 @@ merge_gnu_build_notes (bfd * abfd, prev_end = pnote->end; } } - - old += note_size; } #if DEBUG_MERGE diff --git a/binutils/readelf.c b/binutils/readelf.c index cfccdd2..686a16c 100644 --- a/binutils/readelf.c +++ b/binutils/readelf.c @@ -21727,8 +21727,13 @@ print_v850_note (Elf_Internal_Note * pnote) { unsigned int val; + printf (" %s: ", get_v850_elf_note_type (pnote->type)); + if (pnote->descsz != 4) - return false; + { + printf ("<corrupt descsz: %#lx>\n", pnote->descsz); + return false; + } val = byte_get ((unsigned char *) pnote->descdata, pnote->descsz); @@ -23297,10 +23302,15 @@ process_v850_notes (Filedata * filedata, uint64_t offset, uint64_t length) " %#" PRIx64 " with length %#" PRIx64 ":\n"), offset, length); - while ((char *) external + sizeof (Elf_External_Note) < end) + while ((char *) external < end) { - Elf_External_Note * next; + char *next; Elf_Internal_Note inote; + size_t data_remaining = end - (char *) external; + + if (data_remaining < offsetof (Elf_External_Note, name)) + break; + data_remaining -= offsetof (Elf_External_Note, name); inote.type = BYTE_GET (external->type); inote.namesz = BYTE_GET (external->namesz); @@ -23308,47 +23318,25 @@ process_v850_notes (Filedata * filedata, uint64_t offset, uint64_t length) inote.descsz = BYTE_GET (external->descsz); inote.descdata = inote.namedata + align_power (inote.namesz, 2); inote.descpos = offset + (inote.descdata - (char *) pnotes); + next = inote.descdata + align_power (inote.descsz, 2); - if (inote.descdata < (char *) pnotes || inote.descdata >= end) - { - warn (_("Corrupt note: name size is too big: %lx\n"), inote.namesz); - inote.descdata = inote.namedata; - inote.namesz = 0; - } - - next = (Elf_External_Note *) (inote.descdata + align_power (inote.descsz, 2)); - - if ( ((char *) next > end) - || ((char *) next < (char *) pnotes)) + if ((size_t) (inote.descdata - inote.namedata) < inote.namesz + || (size_t) (inote.descdata - inote.namedata) > data_remaining + || (size_t) (next - inote.descdata) < inote.descsz + || ((size_t) (next - inote.descdata) + > data_remaining - (size_t) (inote.descdata - inote.namedata))) { - warn (_("corrupt descsz found in note at offset %#tx\n"), + warn (_("note with invalid namesz and/or descsz found at offset %#tx\n"), (char *) external - (char *) pnotes); - warn (_(" type: %#lx, namesize: %#lx, descsize: %#lx\n"), - inote.type, inote.namesz, inote.descsz); + warn (_(" type: %#lx, namesize: %#lx, descsize: %#lx, alignment: %u\n"), + inote.type, inote.namesz, inote.descsz, 2); break; } - external = next; - - /* Prevent out-of-bounds indexing. */ - if ( inote.namedata + inote.namesz > end - || inote.namedata + inote.namesz < inote.namedata) - { - warn (_("corrupt namesz found in note at offset %#zx\n"), - (char *) external - (char *) pnotes); - warn (_(" type: %#lx, namesize: %#lx, descsize: %#lx\n"), - inote.type, inote.namesz, inote.descsz); - break; - } - - printf (" %s: ", get_v850_elf_note_type (inote.type)); + external = (Elf_External_Note *) next; if (! print_v850_note (& inote)) - { - res = false; - printf ("<corrupt sizes: namesz: %#lx, descsz: %#lx>\n", - inote.namesz, inote.descsz); - } + res = false; } free (pnotes); |