diff options
| author | Nick Clifton <nickc@redhat.com> | 2015-01-08 13:52:42 +0000 |
|---|---|---|
| committer | Nick Clifton <nickc@redhat.com> | 2015-01-08 13:52:42 +0000 |
| commit | 848cde35d61874521ad6c88a50f983d5ee7d2307 (patch) | |
| tree | c744f90c3d70c0af5464c379b61da68dbd5daad1 | |
| parent | 2279a12a44ede7a0a6d7375d90d33676fa8771ad (diff) | |
| download | gdb-848cde35d61874521ad6c88a50f983d5ee7d2307.zip gdb-848cde35d61874521ad6c88a50f983d5ee7d2307.tar.gz gdb-848cde35d61874521ad6c88a50f983d5ee7d2307.tar.bz2 | |
Fix memory access violations triggered by running sysdump on fuzzed binaries.
PR binutils/17512
* sysdump.c (getINT): Fail if reading off the end of the buffer.
Replace call to abort with a call to fatal.
(getCHARS): Prevetn reading off the end of the buffer.
| -rw-r--r-- | binutils/ChangeLog | 4 | ||||
| -rw-r--r-- | binutils/sysdump.c | 14 |
2 files changed, 16 insertions, 2 deletions
diff --git a/binutils/ChangeLog b/binutils/ChangeLog index cfad0f7..d6c3070 100644 --- a/binutils/ChangeLog +++ b/binutils/ChangeLog @@ -1,6 +1,10 @@ 2015-01-08 Nick Clifton <nickc@redhat.com> PR binutils/17512 + * sysdump.c (getINT): Fail if reading off the end of the buffer. + Replace call to abort with a call to fatal. + (getCHARS): Prevetn reading off the end of the buffer. + * nlmconv.c (i386_mangle_relocs): Skip relocs without an associated symbol. (powerpc_mangle_relocs): Skip unrecognised relocs. Check address diff --git a/binutils/sysdump.c b/binutils/sysdump.c index 37dd162..ac350e1 100644 --- a/binutils/sysdump.c +++ b/binutils/sysdump.c @@ -66,6 +66,9 @@ getCHARS (unsigned char *ptr, int *idx, int size, int max) if (b == 0) { + /* PR 17512: file: 13caced2. */ + if (oc >= max) + return _("*corrupt*"); /* Got to work out the length of the string from self. */ b = ptr[oc++]; (*idx) += 8; @@ -166,7 +169,12 @@ getINT (unsigned char *ptr, int *idx, int size, int max) int byte = *idx / 8; if (byte >= max) - return 0; + { + /* PR 17512: file: id:000001,src:000002,op:flip1,pos:45. */ + /* Prevent infinite loops re-reading beyond the end of the buffer. */ + fatal (_("ICE: getINT: Out of buffer space")); + return 0; + } if (size == -2) size = addrsize; @@ -188,7 +196,7 @@ getINT (unsigned char *ptr, int *idx, int size, int max) n = (ptr[byte + 0] << 24) + (ptr[byte + 1] << 16) + (ptr[byte + 2] << 8) + (ptr[byte + 3]); break; default: - abort (); + fatal (_("Unsupported read size: %d"), size); } *idx += size * 8; @@ -615,6 +623,8 @@ module (void) do { c = getc (file); + if (c == EOF) + break; ungetc (c, file); c &= 0x7f; |