aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorAlan Modra <amodra@gmail.com>2020-05-11 18:00:31 +0930
committerAlan Modra <amodra@gmail.com>2020-05-11 18:11:26 +0930
commit4d5acb1ea570f04f8020338bad6918dfe76b785c (patch)
treef67454d0a28ddbc36215ff1080437a8c1c02c0d3
parentb59cca2581498c37fd79292deef718b2bfce8117 (diff)
downloadgdb-4d5acb1ea570f04f8020338bad6918dfe76b785c.zip
gdb-4d5acb1ea570f04f8020338bad6918dfe76b785c.tar.gz
gdb-4d5acb1ea570f04f8020338bad6918dfe76b785c.tar.bz2
PR25961, buffer overflow in coff_swap_aux_in
PR 25961 * coffgen.c (coff_get_normalized_symtab): Check that buffer contains required number of auxents before processing any auxent. * coffswap.h (coff_swap_aux_in <C_FILE>): Only swap in extended file name from auxents for PE.
-rw-r--r--bfd/ChangeLog8
-rw-r--r--bfd/coffgen.c14
-rw-r--r--bfd/coffswap.h2
3 files changed, 16 insertions, 8 deletions
diff --git a/bfd/ChangeLog b/bfd/ChangeLog
index 19ecf89..38ff455 100644
--- a/bfd/ChangeLog
+++ b/bfd/ChangeLog
@@ -1,3 +1,11 @@
+2020-05-11 Alan Modra <amodra@gmail.com>
+
+ PR 25961
+ * coffgen.c (coff_get_normalized_symtab): Check that buffer
+ contains required number of auxents before processing any auxent.
+ * coffswap.h (coff_swap_aux_in <C_FILE>): Only swap in extended
+ file name from auxents for PE.
+
2020-05-04 Gunther Nikl <gnikl@justmail.de>
* aout-cris.c (DEFAULT_ARCH): Delete define.
diff --git a/bfd/coffgen.c b/bfd/coffgen.c
index 6d84d51..96140e0 100644
--- a/bfd/coffgen.c
+++ b/bfd/coffgen.c
@@ -1818,6 +1818,13 @@ coff_get_normalized_symtab (bfd *abfd)
symbol_ptr = internal_ptr;
internal_ptr->is_sym = TRUE;
+ /* PR 17512: Prevent buffer overrun. */
+ if (symbol_ptr->u.syment.n_numaux > (raw_end - raw_src) / symesz)
+ {
+ bfd_release (abfd, internal);
+ return NULL;
+ }
+
for (i = 0;
i < symbol_ptr->u.syment.n_numaux;
i++)
@@ -1825,13 +1832,6 @@ coff_get_normalized_symtab (bfd *abfd)
internal_ptr++;
raw_src += symesz;
- /* PR 17512: Prevent buffer overrun. */
- if (raw_src >= raw_end || internal_ptr >= internal_end)
- {
- bfd_release (abfd, internal);
- return NULL;
- }
-
bfd_coff_swap_aux_in (abfd, (void *) raw_src,
symbol_ptr->u.syment.n_type,
symbol_ptr->u.syment.n_sclass,
diff --git a/bfd/coffswap.h b/bfd/coffswap.h
index 7c0be22..f75001e 100644
--- a/bfd/coffswap.h
+++ b/bfd/coffswap.h
@@ -399,7 +399,7 @@ coff_swap_aux_in (bfd *abfd,
#if FILNMLEN != E_FILNMLEN
#error we need to cope with truncating or extending FILNMLEN
#else
- if (numaux > 1)
+ if (numaux > 1 && coff_data (abfd)->pe)
{
if (indx == 0)
memcpy (in->x_file.x_fname, ext->x_file.x_fname,