diff options
| author | Alan Modra <amodra@gmail.com> | 2020-06-29 09:51:07 +0930 |
|---|---|---|
| committer | Alan Modra <amodra@gmail.com> | 2020-06-29 10:09:14 +0930 |
| commit | 07d22f648e56d7276fa7a4a73438005448c406fb (patch) | |
| tree | ed775472361aa5b8a78aec9e7a3a642e81480b6f /bfd/peXXigen.c | |
| parent | 279edac53db8fa6482ee3e305c9627f788fd2699 (diff) | |
| download | gdb-07d22f648e56d7276fa7a4a73438005448c406fb.zip gdb-07d22f648e56d7276fa7a4a73438005448c406fb.tar.gz gdb-07d22f648e56d7276fa7a4a73438005448c406fb.tar.bz2 | |
asan: _bfd_pei_slurp_codeview_record use of uninit value
Fixes some seriously careless code. bfd_bread return value is
(bfd_size_type)-1 on error. "if (bfd_bread (...) < 4)" does not check
for an error since bfd_size_type is unsigned. In any case, I think we
should be reading and checking the requested length.
* peXXigen.c (_bfd_XXi_slurp_codeview_record): Properly check
return value of bfd_bread. Don't read more than requested length.
Sanity check length. Properly terminate file name.
Diffstat (limited to 'bfd/peXXigen.c')
| -rw-r--r-- | bfd/peXXigen.c | 10 |
1 files changed, 8 insertions, 2 deletions
diff --git a/bfd/peXXigen.c b/bfd/peXXigen.c index b3b6808..5149ef5 100644 --- a/bfd/peXXigen.c +++ b/bfd/peXXigen.c @@ -1147,15 +1147,21 @@ CODEVIEW_INFO * _bfd_XXi_slurp_codeview_record (bfd * abfd, file_ptr where, unsigned long length, CODEVIEW_INFO *cvinfo) { char buffer[256+1]; + bfd_size_type nread; if (bfd_seek (abfd, where, SEEK_SET) != 0) return NULL; - if (bfd_bread (buffer, 256, abfd) < 4) + if (length <= sizeof (CV_INFO_PDB70) && length <= sizeof (CV_INFO_PDB20)) + return NULL; + if (length > 256) + length = 256; + nread = bfd_bread (buffer, length, abfd); + if (length != nread) return NULL; /* Ensure null termination of filename. */ - buffer[256] = '\0'; + memset (buffer + nread, 0, sizeof (buffer) - nread); cvinfo->CVSignature = H_GET_32 (abfd, buffer); cvinfo->Age = 0; |