diff options
| author | Alan Modra <amodra@gmail.com> | 2023-04-19 22:32:15 +0930 |
|---|---|---|
| committer | Alan Modra <amodra@gmail.com> | 2023-04-20 09:03:53 +0930 |
| commit | 3b37f0f1b86cc1fb3ba9cc6d89695109db7f829a (patch) | |
| tree | 1104d218e517b7bd96be04d5f08e9bcec020ff5b /bfd/coffgen.c | |
| parent | 685b44ee816c6e508d282ae3766f2441b5ae9334 (diff) | |
| download | gdb-3b37f0f1b86cc1fb3ba9cc6d89695109db7f829a.zip gdb-3b37f0f1b86cc1fb3ba9cc6d89695109db7f829a.tar.gz gdb-3b37f0f1b86cc1fb3ba9cc6d89695109db7f829a.tar.bz2 | |
Yet another out-of-memory fuzzed object
Do I care about out of memory conditions triggered by fuzzers? Not
much. Your operating system ought to be able to handle it by killing
the memory hog. Oh well, this one was an element of a coff-alpha
archive that said it was a little less that 2**64 in size. The
coff-alpha compression scheme expands at most 8 times, so we can do
better in bfd_get_file_size.
* bfdio.c (bfd_get_file_size): Assume elements in compressed
archive can only expand a maximum of eight times.
* coffgen.c (_bfd_coff_get_external_symbols): Sanity check
size of symbol table agains file size.
Diffstat (limited to 'bfd/coffgen.c')
| -rw-r--r-- | bfd/coffgen.c | 10 |
1 files changed, 10 insertions, 0 deletions
diff --git a/bfd/coffgen.c b/bfd/coffgen.c index 4725406..05f2640 100644 --- a/bfd/coffgen.c +++ b/bfd/coffgen.c @@ -1551,6 +1551,7 @@ _bfd_coff_get_external_symbols (bfd *abfd) size_t symesz; size_t size; void * syms; + ufile_ptr filesize; if (obj_coff_external_syms (abfd) != NULL) return true; @@ -1565,6 +1566,15 @@ _bfd_coff_get_external_symbols (bfd *abfd) if (size == 0) return true; + filesize = bfd_get_file_size (abfd); + if (filesize != 0 + && ((ufile_ptr) obj_sym_filepos (abfd) > filesize + || size > filesize - obj_sym_filepos (abfd))) + { + bfd_set_error (bfd_error_file_truncated); + return false; + } + if (bfd_seek (abfd, obj_sym_filepos (abfd), SEEK_SET) != 0) return false; syms = _bfd_malloc_and_read (abfd, size, size); |