aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorNick Clifton <nickc@redhat.com>2014-11-21 13:37:39 +0000
committerNick Clifton <nickc@redhat.com>2014-11-21 13:37:39 +0000
commit5d921cbd81554867007e903b634acc6bc8281f9f (patch)
tree78e5a5f2bdfdd42d8628167671eb4d04701ad35a
parentcd11f78f810cf12b04046ac954ceb6528b00956c (diff)
downloadgdb-5d921cbd81554867007e903b634acc6bc8281f9f.zip
gdb-5d921cbd81554867007e903b634acc6bc8281f9f.tar.gz
gdb-5d921cbd81554867007e903b634acc6bc8281f9f.tar.bz2
Resolve more problems with readelf uncovered by fuzzing binary files.
PR binutils/17531 * readelf.c (process_version_sections): Prevent an infinite loop processing corrupt version need data. (process_corefile_note_segment): Handle corrupt notes.
-rw-r--r--binutils/ChangeLog7
-rw-r--r--binutils/readelf.c8
2 files changed, 14 insertions, 1 deletions
diff --git a/binutils/ChangeLog b/binutils/ChangeLog
index 8e3976a..cc4590a 100644
--- a/binutils/ChangeLog
+++ b/binutils/ChangeLog
@@ -1,3 +1,10 @@
+2014-11-21 Nick Clifton <nickc@redhat.com>
+
+ PR binutils/17531
+ * readelf.c (process_version_sections): Prevent an infinite loop
+ processing corrupt version need data.
+ (process_corefile_note_segment): Handle corrupt notes.
+
2014-11-21 Terry Guo <terry.guo@arm.com>
* readelf.c (arm_attr_tag_FP_arch): Extended to support FPv5.
diff --git a/binutils/readelf.c b/binutils/readelf.c
index b7269d1..e8ce279 100644
--- a/binutils/readelf.c
+++ b/binutils/readelf.c
@@ -9133,6 +9133,10 @@ process_version_sections (FILE * file)
if (j < ent.vd_cnt)
printf (_(" Version def aux past end of section\n"));
+ /* PR 17531: file: id:000001,src:000172+005151,op:splice,rep:2. */
+ if (idx + ent.vd_next <= idx)
+ break;
+
idx += ent.vd_next;
}
@@ -14686,6 +14690,9 @@ process_corefile_note_segment (FILE * file, bfd_vma offset, bfd_vma length)
if (inote.descdata < (char *) external + min_notesz
|| next < (char *) external + min_notesz
+ /* PR binutils/17531: file: id:000000,sig:11,src:006986,op:havoc,rep:4. */
+ || inote.namedata + inote.namesz < inote.namedata
+ || inote.descdata + inote.descsz < inote.descdata
|| data_remaining < (size_t)(next - (char *) external))
{
warn (_("note with invalid namesz and/or descsz found at offset 0x%lx\n"),
@@ -14704,7 +14711,6 @@ process_corefile_note_segment (FILE * file, bfd_vma offset, bfd_vma length)
if (inote.namedata[inote.namesz - 1] != '\0')
{
temp = (char *) malloc (inote.namesz + 1);
-
if (temp == NULL)
{
error (_("Out of memory allocating space for inote name\n"));