diff options
| author | Nick Clifton <nickc@redhat.com> | 2014-11-04 13:15:37 +0000 |
|---|---|---|
| committer | Nick Clifton <nickc@redhat.com> | 2014-11-04 13:15:37 +0000 |
| commit | bb0d867169d7e9743d229804106a8fbcab7f3b3f (patch) | |
| tree | 1935b77fb6191c941d451997eb07b0b66e80e13b | |
| parent | ed9e98c214dde25cc9ff54bac7191c3824be3ffa (diff) | |
| download | gdb-bb0d867169d7e9743d229804106a8fbcab7f3b3f.zip gdb-bb0d867169d7e9743d229804106a8fbcab7f3b3f.tar.gz gdb-bb0d867169d7e9743d229804106a8fbcab7f3b3f.tar.bz2 | |
Fix a seg-fault triggered by reading a mal-formed archive.
PR binutils/17533
* archive.c (_bfd_slurp_extended_name_table): Handle archives with
corrupt extended name tables.
| -rw-r--r-- | bfd/ChangeLog | 6 | ||||
| -rw-r--r-- | bfd/archive.c | 9 |
2 files changed, 13 insertions, 2 deletions
diff --git a/bfd/ChangeLog b/bfd/ChangeLog index c8e23ba..8c3669b 100644 --- a/bfd/ChangeLog +++ b/bfd/ChangeLog @@ -1,3 +1,9 @@ +2014-11-04 Nick Clifton <nickc@redhat.com> + + PR binutils/17533 + * archive.c (_bfd_slurp_extended_name_table): Handle archives with + corrupt extended name tables. + 2014-11-04 Alan Modra <amodra@gmail.com> * elf32-spu.c (ovl_mgr_stat): New function. diff --git a/bfd/archive.c b/bfd/archive.c index 40a3395..b905213 100644 --- a/bfd/archive.c +++ b/bfd/archive.c @@ -1293,6 +1293,9 @@ _bfd_slurp_extended_name_table (bfd *abfd) amt = namedata->parsed_size; if (amt + 1 == 0) goto byebye; + /* PR binutils/17533: A corrupt archive can contain an invalid size. */ + if (amt > (bfd_size_type) bfd_get_size (abfd)) + goto byebye; bfd_ardata (abfd)->extended_names_size = amt; bfd_ardata (abfd)->extended_names = (char *) bfd_zalloc (abfd, amt + 1); @@ -1300,6 +1303,8 @@ _bfd_slurp_extended_name_table (bfd *abfd) { byebye: free (namedata); + bfd_ardata (abfd)->extended_names = NULL; + bfd_ardata (abfd)->extended_names_size = 0; return FALSE; } @@ -1308,7 +1313,6 @@ _bfd_slurp_extended_name_table (bfd *abfd) if (bfd_get_error () != bfd_error_system_call) bfd_set_error (bfd_error_malformed_archive); bfd_release (abfd, (bfd_ardata (abfd)->extended_names)); - bfd_ardata (abfd)->extended_names = NULL; goto byebye; } @@ -1316,11 +1320,12 @@ _bfd_slurp_extended_name_table (bfd *abfd) text, the entries in the list are newline-padded, not null padded. In SVR4-style archives, the names also have a trailing '/'. DOS/NT created archive often have \ in them - We'll fix all problems here.. */ + We'll fix all problems here. */ { char *ext_names = bfd_ardata (abfd)->extended_names; char *temp = ext_names; char *limit = temp + namedata->parsed_size; + for (; temp < limit; ++temp) { if (*temp == ARFMAG[1]) |