aboutsummaryrefslogtreecommitdiff
path: root/bfd/ChangeLog
diff options
context:
space:
mode:
authorAlan Modra <amodra@gmail.com>2021-05-25 13:36:20 +0930
committerAlan Modra <amodra@gmail.com>2021-05-25 15:07:08 +0930
commit4be1e8dbb3f8da8058ed93dfc222ee6dffb02e60 (patch)
tree80e545d4cf7a8bc7386b0af657b6efefb905123a /bfd/ChangeLog
parente63e5f9f9f9c7922dfc348b1637d1fd0a2b353d2 (diff)
downloadbinutils-4be1e8dbb3f8da8058ed93dfc222ee6dffb02e60.zip
binutils-4be1e8dbb3f8da8058ed93dfc222ee6dffb02e60.tar.gz
binutils-4be1e8dbb3f8da8058ed93dfc222ee6dffb02e60.tar.bz2
asan: _bfd_elf_parse_attributes heap buffer overflow
I exposed a problem with the change in commit 574ec1084d to the outer loop of _bfd_elf_parse_attributes. "p_end - p >= 4" is better than "p < p_end - 4" as far as pointer UB is concerned if the size of the attritbute section is say, 3 bytes. However you do need to ensure p never exceeds p_end, and that length remaining is kept consistent with the pointer. * elf-attrs.c (elf_attr_strdup): New function. (_bfd_elf_attr_strdup): Use it here. (elf_add_obj_attr_string): New function, extracted from.. (bfd_elf_add_obj_attr_string): ..here. (elf_add_obj_attr_int_string): New function, extracted from.. (bfd_elf_add_obj_attr_int_string): ..here. (_bfd_elf_parse_attributes): Don't allocate an extra byte for a string terminator. Instead ensure parsing doesn't go past end of sub-section. Use size_t variables for lengths.
Diffstat (limited to 'bfd/ChangeLog')
-rw-r--r--bfd/ChangeLog12
1 files changed, 12 insertions, 0 deletions
diff --git a/bfd/ChangeLog b/bfd/ChangeLog
index a240941..516b816 100644
--- a/bfd/ChangeLog
+++ b/bfd/ChangeLog
@@ -1,3 +1,15 @@
+2021-05-25 Alan Modra <amodra@gmail.com>
+
+ * elf-attrs.c (elf_attr_strdup): New function.
+ (_bfd_elf_attr_strdup): Use it here.
+ (elf_add_obj_attr_string): New function, extracted from..
+ (bfd_elf_add_obj_attr_string): ..here.
+ (elf_add_obj_attr_int_string): New function, extracted from..
+ (bfd_elf_add_obj_attr_int_string): ..here.
+ (_bfd_elf_parse_attributes): Don't allocate an extra byte for a
+ string terminator. Instead ensure parsing doesn't go past
+ end of sub-section. Use size_t variables for lengths.
+
2021-05-22 Alan Modra <amodra@gmail.com>
* libbfd.c (_bfd_safe_read_leb128): Remove length_return parameter.