diff options
author | Nick Clifton <nickc@redhat.com> | 2014-12-09 12:42:18 +0000 |
---|---|---|
committer | Nick Clifton <nickc@redhat.com> | 2014-12-09 12:42:18 +0000 |
commit | f64e188b58f4aab4cbd03aa6e9fc1aa602546e26 (patch) | |
tree | 46d8f90891842ce15eee893ce5489835e9e65a20 /bfd/elf.c | |
parent | 137d1369ac054744d27f19e95aa8a739e6c0068d (diff) | |
download | gdb-f64e188b58f4aab4cbd03aa6e9fc1aa602546e26.zip gdb-f64e188b58f4aab4cbd03aa6e9fc1aa602546e26.tar.gz gdb-f64e188b58f4aab4cbd03aa6e9fc1aa602546e26.tar.bz2 |
More fixes for memory access violations triggered by fuzzed binaries.
PR binutils/17512
* objdump.c (display_any_bfd): Avoid infinite loop closing and
opening the same archive again and again.
* archive64.c (bfd_elf64_archive_slurp_armap): Add range checks.
* libbfd.c (safe_read_leb128): New function.
* libbfd-in.h (safe_read_leb128): Add prototype.
* libbfd.h: Regenerate.
* elf-attrs.c (_bfd_elf_parse_attributes): Use safe_read_leb128.
Check for an over-long subsection length.
* elf.c (elf_parse_notes): Check that the namedata is long enough
for the string comparison that is about to be performed.
(elf_read_notes): Zero-terminate the note buffer.
Diffstat (limited to 'bfd/elf.c')
-rw-r--r-- | bfd/elf.c | 53 |
1 files changed, 29 insertions, 24 deletions
@@ -9817,32 +9817,33 @@ elf_parse_notes (bfd *abfd, char *buf, size_t size, file_ptr offset) return TRUE; case bfd_core: - if (CONST_STRNEQ (in.namedata, "NetBSD-CORE")) - { - if (! elfcore_grok_netbsd_note (abfd, &in)) - return FALSE; - } - else if (CONST_STRNEQ (in.namedata, "OpenBSD")) - { - if (! elfcore_grok_openbsd_note (abfd, &in)) - return FALSE; - } - else if (CONST_STRNEQ (in.namedata, "QNX")) + { + struct { - if (! elfcore_grok_nto_note (abfd, &in)) - return FALSE; + const char * string; + bfd_boolean (* func)(bfd *, Elf_Internal_Note *); } - else if (CONST_STRNEQ (in.namedata, "SPU/")) + grokers[] = { - if (! elfcore_grok_spu_note (abfd, &in)) - return FALSE; - } - else - { - if (! elfcore_grok_note (abfd, &in)) - return FALSE; - } - break; + { "", elfcore_grok_note }, + { "NetBSD-CORE", elfcore_grok_netbsd_note }, + { "OpenBSD", elfcore_grok_openbsd_note }, + { "QNX", elfcore_grok_nto_note }, + { "SPU/", elfcore_grok_spu_note } + }; + int i; + + for (i = ARRAY_SIZE (grokers); i--;) + if (in.namesz >= sizeof grokers[i].string - 1 + && strncmp (in.namedata, grokers[i].string, + sizeof (grokers[i].string) - 1) == 0) + { + if (! grokers[i].func (abfd, & in)) + return FALSE; + break; + } + break; + } case bfd_object: if (in.namesz == sizeof "GNU" && strcmp (in.namedata, "GNU") == 0) @@ -9876,10 +9877,14 @@ elf_read_notes (bfd *abfd, file_ptr offset, bfd_size_type size) if (bfd_seek (abfd, offset, SEEK_SET) != 0) return FALSE; - buf = (char *) bfd_malloc (size); + buf = (char *) bfd_malloc (size + 1); if (buf == NULL) return FALSE; + /* PR 17512: file: ec08f814 + 0-termintate the buffer so that string searches will not overflow. */ + buf[size] = 0; + if (bfd_bread (buf, size, abfd) != size || !elf_parse_notes (abfd, buf, size, offset)) { |