From f64e188b58f4aab4cbd03aa6e9fc1aa602546e26 Mon Sep 17 00:00:00 2001 From: Nick Clifton Date: Tue, 9 Dec 2014 12:42:18 +0000 Subject: More fixes for memory access violations triggered by fuzzed binaries. PR binutils/17512 * objdump.c (display_any_bfd): Avoid infinite loop closing and opening the same archive again and again. * archive64.c (bfd_elf64_archive_slurp_armap): Add range checks. * libbfd.c (safe_read_leb128): New function. * libbfd-in.h (safe_read_leb128): Add prototype. * libbfd.h: Regenerate. * elf-attrs.c (_bfd_elf_parse_attributes): Use safe_read_leb128. Check for an over-long subsection length. * elf.c (elf_parse_notes): Check that the namedata is long enough for the string comparison that is about to be performed. (elf_read_notes): Zero-terminate the note buffer. --- bfd/archive64.c | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) (limited to 'bfd/archive64.c') diff --git a/bfd/archive64.c b/bfd/archive64.c index 6b87ec5..9d29b90 100644 --- a/bfd/archive64.c +++ b/bfd/archive64.c @@ -46,6 +46,7 @@ bfd_elf64_archive_slurp_armap (bfd *abfd) struct areltdata *mapdata; bfd_byte int_buf[8]; char *stringbase; + char *stringend; bfd_byte *raw_armap = NULL; carsym *carsyms; bfd_size_type amt; @@ -92,11 +93,18 @@ bfd_elf64_archive_slurp_armap (bfd *abfd) ptrsize = 8 * nsymz; amt = carsym_size + stringsize + 1; + if (carsym_size < nsymz || ptrsize < nsymz || amt < nsymz) + { + bfd_set_error (bfd_error_malformed_archive); + return FALSE; + } ardata->symdefs = (struct carsym *) bfd_zalloc (abfd, amt); if (ardata->symdefs == NULL) return FALSE; carsyms = ardata->symdefs; stringbase = ((char *) ardata->symdefs) + carsym_size; + stringbase[stringsize] = 0; + stringend = stringbase + stringsize; raw_armap = (bfd_byte *) bfd_alloc (abfd, ptrsize); if (raw_armap == NULL) @@ -114,7 +122,8 @@ bfd_elf64_archive_slurp_armap (bfd *abfd) { carsyms->file_offset = bfd_getb64 (raw_armap + i * 8); carsyms->name = stringbase; - stringbase += strlen (stringbase) + 1; + if (stringbase < stringend) + stringbase += strlen (stringbase) + 1; ++carsyms; } *stringbase = '\0'; -- cgit v1.1