aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorAlan Modra <amodra@gmail.com>2019-02-20 18:22:50 +1030
committerAlan Modra <amodra@gmail.com>2019-02-20 18:22:50 +1030
commitc22b42ce308eb538050b4b5789e406b63102b35a (patch)
tree097dc6ca803567ca3176c58cd647dee1b4e7fe97
parentedd01d077c5f7a0f76ec4fb77b5b9f5b151fa50a (diff)
downloadgdb-c22b42ce308eb538050b4b5789e406b63102b35a.zip
gdb-c22b42ce308eb538050b4b5789e406b63102b35a.tar.gz
gdb-c22b42ce308eb538050b4b5789e406b63102b35a.tar.bz2
Unsigned integer overflows in readelf checks
PR 24132 PR 24138 * readelf.c (get_data): Avoid possibility of overflow when checking for a read that may extend past end of file. (process_program_headers): Likewise.
Diffstat
-rw-r--r--binutils/ChangeLog8
-rw-r--r--binutils/readelf.c10
2 files changed, 14 insertions, 4 deletions
diff --git a/binutils/ChangeLog b/binutils/ChangeLog
index ce933ba..ff67363 100644
--- a/binutils/ChangeLog
+++ b/binutils/ChangeLog
@@ -1,5 +1,13 @@
2019-02-20 Alan Modra <amodra@gmail.com>
+ PR 24132
+ PR 24138
+ * readelf.c (get_data): Avoid possibility of overflow when
+ checking for a read that may extend past end of file.
+ (process_program_headers): Likewise.
+
+2019-02-20 Alan Modra <amodra@gmail.com>
+
PR 24233
* objdump.c (dump_bfd_private_header): Print warning if
bfd_print_private_bfd_data returns false.
diff --git a/binutils/readelf.c b/binutils/readelf.c
index 77acc6a..3f424c4 100644
--- a/binutils/readelf.c
+++ b/binutils/readelf.c
@@ -398,10 +398,11 @@ get_data (void * var,
return NULL;
}
- /* Be kind to memory chekers (eg valgrind, address sanitizer) by not
+ /* Be kind to memory checkers (eg valgrind, address sanitizer) by not
attempting to allocate memory when the read is bound to fail. */
- if (amt > filedata->file_size
- || offset + archive_file_offset + amt > filedata->file_size)
+ if (archive_file_offset > filedata->file_size
+ || offset > filedata->file_size - archive_file_offset
+ || amt > filedata->file_size - archive_file_offset - offset)
{
if (reason)
error (_("Reading %s bytes extends past end of file for %s\n"),
@@ -5235,7 +5236,8 @@ process_program_headers (Filedata * filedata)
segment. Check this after matching against the section headers
so we don't warn on debuginfo file (which have NOBITS .dynamic
sections). */
- if (dynamic_addr + dynamic_size >= filedata->file_size)
+ if (dynamic_addr > filedata->file_size
+ || dynamic_size > filedata->file_size - dynamic_addr)
{
error (_("the dynamic segment offset + size exceeds the size of the file\n"));
dynamic_addr = dynamic_size = 0;
generated by cgit v1.1 at 2024-08-11 22:12:25 +0000