diff options
author | Nick Clifton <nickc@redhat.com> | 2014-11-21 13:37:39 +0000 |
---|---|---|
committer | Nick Clifton <nickc@redhat.com> | 2014-11-21 13:37:39 +0000 |
commit | 5d921cbd81554867007e903b634acc6bc8281f9f (patch) | |
tree | 78e5a5f2bdfdd42d8628167671eb4d04701ad35a | |
parent | cd11f78f810cf12b04046ac954ceb6528b00956c (diff) | |
download | gdb-5d921cbd81554867007e903b634acc6bc8281f9f.zip gdb-5d921cbd81554867007e903b634acc6bc8281f9f.tar.gz gdb-5d921cbd81554867007e903b634acc6bc8281f9f.tar.bz2 |
Resolve more problems with readelf uncovered by fuzzing binary files.
PR binutils/17531
* readelf.c (process_version_sections): Prevent an infinite loop
processing corrupt version need data.
(process_corefile_note_segment): Handle corrupt notes.
-rw-r--r-- | binutils/ChangeLog | 7 | ||||
-rw-r--r-- | binutils/readelf.c | 8 |
2 files changed, 14 insertions, 1 deletions
diff --git a/binutils/ChangeLog b/binutils/ChangeLog index 8e3976a..cc4590a 100644 --- a/binutils/ChangeLog +++ b/binutils/ChangeLog @@ -1,3 +1,10 @@ +2014-11-21 Nick Clifton <nickc@redhat.com> + + PR binutils/17531 + * readelf.c (process_version_sections): Prevent an infinite loop + processing corrupt version need data. + (process_corefile_note_segment): Handle corrupt notes. + 2014-11-21 Terry Guo <terry.guo@arm.com> * readelf.c (arm_attr_tag_FP_arch): Extended to support FPv5. diff --git a/binutils/readelf.c b/binutils/readelf.c index b7269d1..e8ce279 100644 --- a/binutils/readelf.c +++ b/binutils/readelf.c @@ -9133,6 +9133,10 @@ process_version_sections (FILE * file) if (j < ent.vd_cnt) printf (_(" Version def aux past end of section\n")); + /* PR 17531: file: id:000001,src:000172+005151,op:splice,rep:2. */ + if (idx + ent.vd_next <= idx) + break; + idx += ent.vd_next; } @@ -14686,6 +14690,9 @@ process_corefile_note_segment (FILE * file, bfd_vma offset, bfd_vma length) if (inote.descdata < (char *) external + min_notesz || next < (char *) external + min_notesz + /* PR binutils/17531: file: id:000000,sig:11,src:006986,op:havoc,rep:4. */ + || inote.namedata + inote.namesz < inote.namedata + || inote.descdata + inote.descsz < inote.descdata || data_remaining < (size_t)(next - (char *) external)) { warn (_("note with invalid namesz and/or descsz found at offset 0x%lx\n"), @@ -14704,7 +14711,6 @@ process_corefile_note_segment (FILE * file, bfd_vma offset, bfd_vma length) if (inote.namedata[inote.namesz - 1] != '\0') { temp = (char *) malloc (inote.namesz + 1); - if (temp == NULL) { error (_("Out of memory allocating space for inote name\n")); |