diff options
author | Alan Modra <amodra@gmail.com> | 2021-10-23 11:27:14 +1030 |
---|---|---|
committer | Alan Modra <amodra@gmail.com> | 2021-10-24 21:36:32 +1030 |
commit | 3f9661f12a42583c91655bc5c5b60542bcaed4e2 (patch) | |
tree | 7c9771edd280b3a23065aa4a06facd9cfa6b1564 | |
parent | 560b3fe208255ae909b4b1c88ba9c28b09043307 (diff) | |
download | gdb-3f9661f12a42583c91655bc5c5b60542bcaed4e2.zip gdb-3f9661f12a42583c91655bc5c5b60542bcaed4e2.tar.gz gdb-3f9661f12a42583c91655bc5c5b60542bcaed4e2.tar.bz2 |
asan: aout: heap buffer overflow
* aoutx.h (aout_get_external_symbols): Sanity check before writing
zero index entry. Remove outdated comment.
* pdp11.c (aout_get_external_symbols): Likewise.
-rw-r--r-- | bfd/aoutx.h | 5 | ||||
-rw-r--r-- | bfd/pdp11.c | 5 |
2 files changed, 4 insertions, 6 deletions
diff --git a/bfd/aoutx.h b/bfd/aoutx.h index ea09646..61d8e0c 100644 --- a/bfd/aoutx.h +++ b/bfd/aoutx.h @@ -1353,8 +1353,6 @@ aout_get_external_symbols (bfd *abfd) if (stringsize >= BYTES_IN_WORD) { - /* Keep the string count in the buffer for convenience - when indexing with e_strx. */ amt = stringsize - BYTES_IN_WORD; if (bfd_bread (strings + BYTES_IN_WORD, amt, abfd) != amt) { @@ -1364,7 +1362,8 @@ aout_get_external_symbols (bfd *abfd) } } /* Ensure that a zero index yields an empty string. */ - memset (strings, 0, BYTES_IN_WORD); + if (stringsize >= BYTES_IN_WORD) + memset (strings, 0, BYTES_IN_WORD); /* Ensure that the string buffer is NUL terminated. */ strings[stringsize] = 0; diff --git a/bfd/pdp11.c b/bfd/pdp11.c index 6429b43..280f5cd 100644 --- a/bfd/pdp11.c +++ b/bfd/pdp11.c @@ -1333,8 +1333,6 @@ aout_get_external_symbols (bfd *abfd) if (stringsize >= BYTES_IN_LONG) { - /* Keep the string count in the buffer for convenience - when indexing with e_strx. */ amt = stringsize - BYTES_IN_LONG; if (bfd_bread (strings + BYTES_IN_LONG, amt, abfd) != amt) { @@ -1344,7 +1342,8 @@ aout_get_external_symbols (bfd *abfd) } } /* Ensure that a zero index yields an empty string. */ - memset (strings, 0, BYTES_IN_LONG); + if (stringsize >= BYTES_IN_WORD) + memset (strings, 0, BYTES_IN_LONG); /* Ensure that the string buffer is NUL terminated. */ strings[stringsize] = 0; |