diff options
author | Nick Clifton <nickc@redhat.com> | 2015-01-21 10:33:19 +0000 |
---|---|---|
committer | Nick Clifton <nickc@redhat.com> | 2015-01-21 10:33:19 +0000 |
commit | 5b7d62376fc942a803d174789fe4464b26f09a02 (patch) | |
tree | c4db8c8aaa99a110c7dbf3a5fd7eae470813d425 | |
parent | 901e4fdf1622fce9bfda3d3b8f4c9a20665f5cee (diff) | |
download | gdb-5b7d62376fc942a803d174789fe4464b26f09a02.zip gdb-5b7d62376fc942a803d174789fe4464b26f09a02.tar.gz gdb-5b7d62376fc942a803d174789fe4464b26f09a02.tar.bz2 |
This patch fixes some illegal memory accesses triggered by running coffdump on fuzzed binaries.
PR binutils/17512
* coffgrok.c (do_type): Check that computed ref exists.
(doit): Add range checks when computing section for scope.
-rw-r--r-- | binutils/ChangeLog | 6 | ||||
-rw-r--r-- | binutils/coffgrok.c | 19 |
2 files changed, 21 insertions, 4 deletions
diff --git a/binutils/ChangeLog b/binutils/ChangeLog index 372230e..d25b8b6 100644 --- a/binutils/ChangeLog +++ b/binutils/ChangeLog @@ -1,3 +1,9 @@ +2015-01-21 Nick Clifton <nickc@redhat.com> + + PR binutils/17512 + * coffgrok.c (do_type): Check that computed ref exists. + (doit): Add range checks when computing section for scope. + 2015-01-12 H.J. Lu <hongjiu.lu@intel.com> * dwarf.c (process_debug_info): Properly check abbrev size. diff --git a/binutils/coffgrok.c b/binutils/coffgrok.c index a4c9d54..5dc9558 100644 --- a/binutils/coffgrok.c +++ b/binutils/coffgrok.c @@ -476,7 +476,11 @@ do_type (unsigned int i) /* Referring to a enum defined elsewhere. */ res->type = coff_enumref_type; res->u.aenumref.ref = tindex[idx]; - res->size = res->u.aenumref.ref->type->size; + /* PR 17512: file: b85b67e8. */ + if (res->u.aenumref.ref) + res->size = res->u.aenumref.ref->type->size; + else + res->size = 0; } else { @@ -740,7 +744,11 @@ doit (void) /* PR 17512: file: 0ef7fbaf. */ if (last_function_type) last_function_type->u.function.code = top_scope; - top_scope->sec = ofile->sections + sym->n_scnum; + /* PR 17512: file: 22908266. */ + if (sym->n_scnum < ofile->nsections && sym->n_scnum >= 0) + top_scope->sec = ofile->sections + sym->n_scnum; + else + top_scope->sec = NULL; top_scope->offset = sym->n_value; } else @@ -750,7 +758,6 @@ doit (void) fatal (_("Function start encountered without a top level scope.")); top_scope->size = sym->n_value - top_scope->offset + 1; pop_scope (); - } i += sym->n_numaux + 1; } @@ -764,7 +771,11 @@ doit (void) { /* Block start. */ push_scope (1); - top_scope->sec = ofile->sections + sym->n_scnum; + /* PR 17512: file: af7e8e83. */ + if (sym->n_scnum < ofile->nsections && sym->n_scnum >= 0) + top_scope->sec = ofile->sections + sym->n_scnum; + else + top_scope->sec = NULL; top_scope->offset = sym->n_value; } else |