aboutsummaryrefslogtreecommitdiff
path: root/bfd/archive64.c
diff options
context:
space:
mode:
authorNick Clifton <nickc@redhat.com>2014-12-09 12:42:18 +0000
committerNick Clifton <nickc@redhat.com>2014-12-09 12:42:18 +0000
commitf64e188b58f4aab4cbd03aa6e9fc1aa602546e26 (patch)
tree46d8f90891842ce15eee893ce5489835e9e65a20 /bfd/archive64.c
parent137d1369ac054744d27f19e95aa8a739e6c0068d (diff)
downloadgdb-f64e188b58f4aab4cbd03aa6e9fc1aa602546e26.zip
gdb-f64e188b58f4aab4cbd03aa6e9fc1aa602546e26.tar.gz
gdb-f64e188b58f4aab4cbd03aa6e9fc1aa602546e26.tar.bz2
More fixes for memory access violations triggered by fuzzed binaries.
PR binutils/17512 * objdump.c (display_any_bfd): Avoid infinite loop closing and opening the same archive again and again. * archive64.c (bfd_elf64_archive_slurp_armap): Add range checks. * libbfd.c (safe_read_leb128): New function. * libbfd-in.h (safe_read_leb128): Add prototype. * libbfd.h: Regenerate. * elf-attrs.c (_bfd_elf_parse_attributes): Use safe_read_leb128. Check for an over-long subsection length. * elf.c (elf_parse_notes): Check that the namedata is long enough for the string comparison that is about to be performed. (elf_read_notes): Zero-terminate the note buffer.
Diffstat (limited to 'bfd/archive64.c')
-rw-r--r--bfd/archive64.c11
1 files changed, 10 insertions, 1 deletions
diff --git a/bfd/archive64.c b/bfd/archive64.c
index 6b87ec5..9d29b90 100644
--- a/bfd/archive64.c
+++ b/bfd/archive64.c
@@ -46,6 +46,7 @@ bfd_elf64_archive_slurp_armap (bfd *abfd)
struct areltdata *mapdata;
bfd_byte int_buf[8];
char *stringbase;
+ char *stringend;
bfd_byte *raw_armap = NULL;
carsym *carsyms;
bfd_size_type amt;
@@ -92,11 +93,18 @@ bfd_elf64_archive_slurp_armap (bfd *abfd)
ptrsize = 8 * nsymz;
amt = carsym_size + stringsize + 1;
+ if (carsym_size < nsymz || ptrsize < nsymz || amt < nsymz)
+ {
+ bfd_set_error (bfd_error_malformed_archive);
+ return FALSE;
+ }
ardata->symdefs = (struct carsym *) bfd_zalloc (abfd, amt);
if (ardata->symdefs == NULL)
return FALSE;
carsyms = ardata->symdefs;
stringbase = ((char *) ardata->symdefs) + carsym_size;
+ stringbase[stringsize] = 0;
+ stringend = stringbase + stringsize;
raw_armap = (bfd_byte *) bfd_alloc (abfd, ptrsize);
if (raw_armap == NULL)
@@ -114,7 +122,8 @@ bfd_elf64_archive_slurp_armap (bfd *abfd)
{
carsyms->file_offset = bfd_getb64 (raw_armap + i * 8);
carsyms->name = stringbase;
- stringbase += strlen (stringbase) + 1;
+ if (stringbase < stringend)
+ stringbase += strlen (stringbase) + 1;
++carsyms;
}
*stringbase = '\0';