From 634557801d909982b47b1723f4216ebe8bc784aa Mon Sep 17 00:00:00 2001 From: Nick Clifton Date: Tue, 19 Mar 2019 13:39:30 +0000 Subject: Prevent an illegal memory access by objdump when parsing a corrupt file on a 32-bit host. PR 24360 * objdump.c (load_specific_debug_section): Check that the amount of memory to be allocated matches the size of the section. --- binutils/objdump.c | 16 +++++++++------- 1 file changed, 9 insertions(+), 7 deletions(-) (limited to 'binutils/objdump.c') diff --git a/binutils/objdump.c b/binutils/objdump.c index 3ef2716..79aed75 100644 --- a/binutils/objdump.c +++ b/binutils/objdump.c @@ -382,10 +382,10 @@ nonfatal (const char *msg) static const char * sanitize_string (const char * in) { - static char * buffer = NULL; - static unsigned int buffer_len = 0; - const char * original = in; - char * out; + static char * buffer = NULL; + static size_t buffer_len = 0; + const char * original = in; + char * out; /* Paranoia. */ if (in == NULL) @@ -2679,6 +2679,7 @@ load_specific_debug_section (enum dwarf_section_display_enum debug, bfd *abfd = (bfd *) file; bfd_byte *contents; bfd_size_type amt; + size_t alloced; if (section->start != NULL) { @@ -2694,8 +2695,9 @@ load_specific_debug_section (enum dwarf_section_display_enum debug, section->address = bfd_get_section_vma (abfd, sec); section->user_data = sec; section->size = bfd_get_section_size (sec); - amt = section->size + 1; - if (amt == 0) + /* PR 24360: On 32-bit hosts sizeof (size_t) < sizeof (bfd_size_type). */ + alloced = amt = section->size + 1; + if (alloced != amt || alloced == 0) { section->start = NULL; free_debug_section (debug); @@ -2704,7 +2706,7 @@ load_specific_debug_section (enum dwarf_section_display_enum debug, (unsigned long long) section->size); return FALSE; } - section->start = contents = malloc (amt); + section->start = contents = malloc (alloced); if (section->start == NULL || !bfd_get_full_section_contents (abfd, sec, &contents)) { -- cgit v1.1