diff options
| author | Alan Modra <amodra@gmail.com> | 2025-03-08 19:49:06 +1030 |
|---|---|---|
| committer | Alan Modra <amodra@gmail.com> | 2025-03-08 21:36:41 +1030 |
| commit | 684f3e906cc75af90192f11a57364c6462774c3a (patch) | |
| tree | da88e227107aaa7c8c126e322298c8402cf95db2 | |
| parent | 1563d43f32090495d50f0c262d6e1bcc17807064 (diff) | |
| download | binutils-684f3e906cc75af90192f11a57364c6462774c3a.zip binutils-684f3e906cc75af90192f11a57364c6462774c3a.tar.gz binutils-684f3e906cc75af90192f11a57364c6462774c3a.tar.bz2 | |
bfd_elf_parse_attr_section_v1 buffer overflow
This function has a misleading parameter "contents", which usually
means an entire section contents is passed. However in this case the
actual sections contents plus one is passed, leading to miscalculating
the end of the buffer.
* elf-attrs.c (bfd_elf_parse_attr_section_v1): Delete hdr and
contents param. Add p and p_end as params.
(_bfd_elf_parse_attributes): Adjust to suit.
| -rw-r--r-- | bfd/elf-attrs.c | 10 |
1 files changed, 3 insertions, 7 deletions
diff --git a/bfd/elf-attrs.c b/bfd/elf-attrs.c index a6a7236..e80575b 100644 --- a/bfd/elf-attrs.c +++ b/bfd/elf-attrs.c @@ -490,12 +490,8 @@ _bfd_elf_obj_attrs_arg_type (bfd *abfd, int vendor, unsigned int tag) } static void -bfd_elf_parse_attr_section_v1 (bfd *abfd, - Elf_Internal_Shdr * hdr, - bfd_byte *contents) +bfd_elf_parse_attr_section_v1 (bfd *abfd, bfd_byte *p, bfd_byte *p_end) { - bfd_byte *p = contents; - bfd_byte *p_end = p + hdr->sh_size; const char *std_sec = get_elf_backend_data (abfd)->obj_attrs_vendor; while (p_end - p >= 4) @@ -651,9 +647,9 @@ _bfd_elf_parse_attributes (bfd *abfd, Elf_Internal_Shdr * hdr) ++cursor; - bfd_elf_parse_attr_section_v1 (abfd, hdr, cursor); + bfd_elf_parse_attr_section_v1 (abfd, cursor, data + hdr->sh_size); -free_data: + free_data: free (data); } |