diff options
author | Nick Clifton <nickc@redhat.com> | 2014-12-09 12:42:18 +0000 |
---|---|---|
committer | Nick Clifton <nickc@redhat.com> | 2014-12-09 12:42:18 +0000 |
commit | f64e188b58f4aab4cbd03aa6e9fc1aa602546e26 (patch) | |
tree | 46d8f90891842ce15eee893ce5489835e9e65a20 /bfd/archive64.c | |
parent | 137d1369ac054744d27f19e95aa8a739e6c0068d (diff) | |
download | gdb-f64e188b58f4aab4cbd03aa6e9fc1aa602546e26.zip gdb-f64e188b58f4aab4cbd03aa6e9fc1aa602546e26.tar.gz gdb-f64e188b58f4aab4cbd03aa6e9fc1aa602546e26.tar.bz2 |
More fixes for memory access violations triggered by fuzzed binaries.
PR binutils/17512
* objdump.c (display_any_bfd): Avoid infinite loop closing and
opening the same archive again and again.
* archive64.c (bfd_elf64_archive_slurp_armap): Add range checks.
* libbfd.c (safe_read_leb128): New function.
* libbfd-in.h (safe_read_leb128): Add prototype.
* libbfd.h: Regenerate.
* elf-attrs.c (_bfd_elf_parse_attributes): Use safe_read_leb128.
Check for an over-long subsection length.
* elf.c (elf_parse_notes): Check that the namedata is long enough
for the string comparison that is about to be performed.
(elf_read_notes): Zero-terminate the note buffer.
Diffstat (limited to 'bfd/archive64.c')
-rw-r--r-- | bfd/archive64.c | 11 |
1 files changed, 10 insertions, 1 deletions
diff --git a/bfd/archive64.c b/bfd/archive64.c index 6b87ec5..9d29b90 100644 --- a/bfd/archive64.c +++ b/bfd/archive64.c @@ -46,6 +46,7 @@ bfd_elf64_archive_slurp_armap (bfd *abfd) struct areltdata *mapdata; bfd_byte int_buf[8]; char *stringbase; + char *stringend; bfd_byte *raw_armap = NULL; carsym *carsyms; bfd_size_type amt; @@ -92,11 +93,18 @@ bfd_elf64_archive_slurp_armap (bfd *abfd) ptrsize = 8 * nsymz; amt = carsym_size + stringsize + 1; + if (carsym_size < nsymz || ptrsize < nsymz || amt < nsymz) + { + bfd_set_error (bfd_error_malformed_archive); + return FALSE; + } ardata->symdefs = (struct carsym *) bfd_zalloc (abfd, amt); if (ardata->symdefs == NULL) return FALSE; carsyms = ardata->symdefs; stringbase = ((char *) ardata->symdefs) + carsym_size; + stringbase[stringsize] = 0; + stringend = stringbase + stringsize; raw_armap = (bfd_byte *) bfd_alloc (abfd, ptrsize); if (raw_armap == NULL) @@ -114,7 +122,8 @@ bfd_elf64_archive_slurp_armap (bfd *abfd) { carsyms->file_offset = bfd_getb64 (raw_armap + i * 8); carsyms->name = stringbase; - stringbase += strlen (stringbase) + 1; + if (stringbase < stringend) + stringbase += strlen (stringbase) + 1; ++carsyms; } *stringbase = '\0'; |