diff options
author | Alan Modra <amodra@gmail.com> | 2020-01-06 17:12:51 +1030 |
---|---|---|
committer | Alan Modra <amodra@gmail.com> | 2020-01-06 21:53:51 +1030 |
commit | 85d8681747faa317c9934f658dcf8749e945ea8c (patch) | |
tree | da5687da2ec727a19a0277c5dc4bdc94baf36f57 | |
parent | 3e6aa7751ab86fdc2f2762ed8a5bce41b22be56e (diff) | |
download | gdb-85d8681747faa317c9934f658dcf8749e945ea8c.zip gdb-85d8681747faa317c9934f658dcf8749e945ea8c.tar.gz gdb-85d8681747faa317c9934f658dcf8749e945ea8c.tar.bz2 |
som_bfd_fill_in_ar_symbols buffer overflow
* som.c (som_bfd_fill_in_ar_symbols): Bounds check som_dict index.
-rw-r--r-- | bfd/ChangeLog | 4 | ||||
-rw-r--r-- | bfd/som.c | 23 |
2 files changed, 21 insertions, 6 deletions
diff --git a/bfd/ChangeLog b/bfd/ChangeLog index 1d2b346..2aed0db 100644 --- a/bfd/ChangeLog +++ b/bfd/ChangeLog @@ -1,5 +1,9 @@ 2020-01-06 Alan Modra <amodra@gmail.com> + * som.c (som_bfd_fill_in_ar_symbols): Bounds check som_dict index. + +2020-01-06 Alan Modra <amodra@gmail.com> + * mach-o.c (bfd_mach_o_read_dylinker): Don't read past end of command. Check name offset is within command. (bfd_mach_o_read_dylib, bfd_mach_o_read_prebound_dylib), @@ -6002,6 +6002,7 @@ som_bfd_fill_in_ar_symbols (bfd *abfd, size_t len; unsigned char ext_len[4]; char *name; + unsigned int ndx; /* An empty chain has zero as it's file offset. */ hash_val = bfd_getb32 (hash_table + 4 * i); @@ -6048,9 +6049,14 @@ som_bfd_fill_in_ar_symbols (bfd *abfd, /* Fill in the file offset. Note that the "location" field points to the SOM itself, not the ar_hdr in front of it. */ - set->file_offset = - bfd_getb32 (som_dict[bfd_getb32 (lst_symbol.som_index)].location) - - sizeof (struct ar_hdr); + ndx = bfd_getb32 (lst_symbol.som_index); + if (ndx >= lst_header->module_count) + { + bfd_set_error (bfd_error_bad_value); + goto error_return; + } + set->file_offset + = bfd_getb32 (som_dict[ndx].location) - sizeof (struct ar_hdr); /* Go to the next symbol. */ set++; @@ -6097,9 +6103,14 @@ som_bfd_fill_in_ar_symbols (bfd *abfd, /* Fill in the file offset. Note that the "location" field points to the SOM itself, not the ar_hdr in front of it. */ - set->file_offset = - bfd_getb32 (som_dict[bfd_getb32 (lst_symbol.som_index)].location) - - sizeof (struct ar_hdr); + ndx = bfd_getb32 (lst_symbol.som_index); + if (ndx >= lst_header->module_count) + { + bfd_set_error (bfd_error_bad_value); + goto error_return; + } + set->file_offset + = bfd_getb32 (som_dict[ndx].location) - sizeof (struct ar_hdr); /* Go on to the next symbol. */ set++; |