aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorNick Clifton <nickc@redhat.com>2015-01-22 12:06:04 +0000
committerNick Clifton <nickc@redhat.com>2015-01-22 12:06:04 +0000
commit4e5cb37e7f3403d5398a323566ff9c995f0c9a81 (patch)
tree6c1f448ab158160c868ef83e3e3251a90b5b39ef
parentb01a4b043a5b08e1208b1fedd61a6f3d65a328e0 (diff)
downloadgdb-4e5cb37e7f3403d5398a323566ff9c995f0c9a81.zip
gdb-4e5cb37e7f3403d5398a323566ff9c995f0c9a81.tar.gz
gdb-4e5cb37e7f3403d5398a323566ff9c995f0c9a81.tar.bz2
Fixes memory access violations triggered by running dlltool on fuzzed binaries.
PR binutils/17512 * coffcode.h (handle_COMDAT): When searching for the section symbol, make sure that there is space left in the symbol table. * vms-alpha.c (_bfd_vms_slurp_ehdr): Add range checks.
Diffstat
-rw-r--r--bfd/ChangeLog7
-rw-r--r--bfd/coffcode.h7
-rw-r--r--bfd/vms-alpha.c18
3 files changed, 32 insertions, 0 deletions
diff --git a/bfd/ChangeLog b/bfd/ChangeLog
index ceb77ff..bd2f0c1 100644
--- a/bfd/ChangeLog
+++ b/bfd/ChangeLog
@@ -1,3 +1,10 @@
+2015-01-22 Nick Clifton <nickc@redhat.com>
+
+ PR binutils/17512
+ * coffcode.h (handle_COMDAT): When searching for the section
+ symbol, make sure that there is space left in the symbol table.
+ * vms-alpha.c (_bfd_vms_slurp_ehdr): Add range checks.
+
2015-01-21 Nick Clifton <nickc@redhat.com>
PR binutils/17512
diff --git a/bfd/coffcode.h b/bfd/coffcode.h
index 181f9af..76e5873 100644
--- a/bfd/coffcode.h
+++ b/bfd/coffcode.h
@@ -1009,6 +1009,13 @@ handle_COMDAT (bfd * abfd,
seen_state = 1;
+ /* PR 17512: file: e2cfe54f. */
+ if (esym + bfd_coff_symesz (abfd) >= esymend)
+ {
+ _bfd_error_handler (_("%B: warning: No symbol for section '%s' found"),
+ abfd, symname);
+ break;
+ }
/* This is the section symbol. */
bfd_coff_swap_aux_in (abfd, (esym + bfd_coff_symesz (abfd)),
isym.n_type, isym.n_sclass,
diff --git a/bfd/vms-alpha.c b/bfd/vms-alpha.c
index faddf7c..9576607 100644
--- a/bfd/vms-alpha.c
+++ b/bfd/vms-alpha.c
@@ -859,9 +859,12 @@ _bfd_vms_slurp_ehdr (bfd *abfd)
{
unsigned char *ptr;
unsigned char *vms_rec;
+ unsigned char *end;
int subtype;
vms_rec = PRIV (recrd.rec);
+ /* PR 17512: file: 62736583. */
+ end = PRIV (recrd.buf) + PRIV (recrd.buf_size);
vms_debug2 ((2, "HDR/EMH\n"));
@@ -873,28 +876,42 @@ _bfd_vms_slurp_ehdr (bfd *abfd)
{
case EMH__C_MHD:
/* Module header. */
+ if (vms_rec + 21 >= end)
+ goto fail;
PRIV (hdr_data).hdr_b_strlvl = vms_rec[6];
PRIV (hdr_data).hdr_l_arch1 = bfd_getl32 (vms_rec + 8);
PRIV (hdr_data).hdr_l_arch2 = bfd_getl32 (vms_rec + 12);
PRIV (hdr_data).hdr_l_recsiz = bfd_getl32 (vms_rec + 16);
+ if ((vms_rec + 20 + vms_rec[20] + 1) >= end)
+ goto fail;
PRIV (hdr_data).hdr_t_name = _bfd_vms_save_counted_string (vms_rec + 20);
ptr = vms_rec + 20 + vms_rec[20] + 1;
+ if ((ptr + *ptr + 1) >= end)
+ goto fail;
PRIV (hdr_data).hdr_t_version =_bfd_vms_save_counted_string (ptr);
ptr += *ptr + 1;
+ if (ptr + 17 >= end)
+ goto fail;
PRIV (hdr_data).hdr_t_date = _bfd_vms_save_sized_string (ptr, 17);
break;
case EMH__C_LNM:
+ if (vms_rec + PRIV (recrd.rec_size - 6) > end)
+ goto fail;
PRIV (hdr_data).hdr_c_lnm =
_bfd_vms_save_sized_string (vms_rec, PRIV (recrd.rec_size - 6));
break;
case EMH__C_SRC:
+ if (vms_rec + PRIV (recrd.rec_size - 6) > end)
+ goto fail;
PRIV (hdr_data).hdr_c_src =
_bfd_vms_save_sized_string (vms_rec, PRIV (recrd.rec_size - 6));
break;
case EMH__C_TTL:
+ if (vms_rec + PRIV (recrd.rec_size - 6) > end)
+ goto fail;
PRIV (hdr_data).hdr_c_ttl =
_bfd_vms_save_sized_string (vms_rec, PRIV (recrd.rec_size - 6));
break;
@@ -905,6 +922,7 @@ _bfd_vms_slurp_ehdr (bfd *abfd)
break;
default:
+ fail:
bfd_set_error (bfd_error_wrong_format);
return FALSE;
}
generated by cgit v1.1 at 2024-11-25 22:28:59 +0000