aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorAlan Modra <amodra@gmail.com>2020-01-06 17:12:51 +1030
committerAlan Modra <amodra@gmail.com>2020-01-06 21:53:51 +1030
commit85d8681747faa317c9934f658dcf8749e945ea8c (patch)
treeda5687da2ec727a19a0277c5dc4bdc94baf36f57
parent3e6aa7751ab86fdc2f2762ed8a5bce41b22be56e (diff)
downloadgdb-85d8681747faa317c9934f658dcf8749e945ea8c.zip
gdb-85d8681747faa317c9934f658dcf8749e945ea8c.tar.gz
gdb-85d8681747faa317c9934f658dcf8749e945ea8c.tar.bz2
som_bfd_fill_in_ar_symbols buffer overflow
* som.c (som_bfd_fill_in_ar_symbols): Bounds check som_dict index.
-rw-r--r--bfd/ChangeLog4
-rw-r--r--bfd/som.c23
2 files changed, 21 insertions, 6 deletions
diff --git a/bfd/ChangeLog b/bfd/ChangeLog
index 1d2b346..2aed0db 100644
--- a/bfd/ChangeLog
+++ b/bfd/ChangeLog
@@ -1,5 +1,9 @@
2020-01-06 Alan Modra <amodra@gmail.com>
+ * som.c (som_bfd_fill_in_ar_symbols): Bounds check som_dict index.
+
+2020-01-06 Alan Modra <amodra@gmail.com>
+
* mach-o.c (bfd_mach_o_read_dylinker): Don't read past end of
command. Check name offset is within command.
(bfd_mach_o_read_dylib, bfd_mach_o_read_prebound_dylib),
diff --git a/bfd/som.c b/bfd/som.c
index 954b752..779fd5d 100644
--- a/bfd/som.c
+++ b/bfd/som.c
@@ -6002,6 +6002,7 @@ som_bfd_fill_in_ar_symbols (bfd *abfd,
size_t len;
unsigned char ext_len[4];
char *name;
+ unsigned int ndx;
/* An empty chain has zero as it's file offset. */
hash_val = bfd_getb32 (hash_table + 4 * i);
@@ -6048,9 +6049,14 @@ som_bfd_fill_in_ar_symbols (bfd *abfd,
/* Fill in the file offset. Note that the "location" field points
to the SOM itself, not the ar_hdr in front of it. */
- set->file_offset =
- bfd_getb32 (som_dict[bfd_getb32 (lst_symbol.som_index)].location)
- - sizeof (struct ar_hdr);
+ ndx = bfd_getb32 (lst_symbol.som_index);
+ if (ndx >= lst_header->module_count)
+ {
+ bfd_set_error (bfd_error_bad_value);
+ goto error_return;
+ }
+ set->file_offset
+ = bfd_getb32 (som_dict[ndx].location) - sizeof (struct ar_hdr);
/* Go to the next symbol. */
set++;
@@ -6097,9 +6103,14 @@ som_bfd_fill_in_ar_symbols (bfd *abfd,
/* Fill in the file offset. Note that the "location" field points
to the SOM itself, not the ar_hdr in front of it. */
- set->file_offset =
- bfd_getb32 (som_dict[bfd_getb32 (lst_symbol.som_index)].location)
- - sizeof (struct ar_hdr);
+ ndx = bfd_getb32 (lst_symbol.som_index);
+ if (ndx >= lst_header->module_count)
+ {
+ bfd_set_error (bfd_error_bad_value);
+ goto error_return;
+ }
+ set->file_offset
+ = bfd_getb32 (som_dict[ndx].location) - sizeof (struct ar_hdr);
/* Go on to the next symbol. */
set++;