aboutsummaryrefslogtreecommitdiff
path: root/bfd/peXXigen.c
diff options
context:
space:
mode:
authorAlan Modra <amodra@gmail.com>2020-06-29 09:51:07 +0930
committerAlan Modra <amodra@gmail.com>2020-06-29 10:09:14 +0930
commit07d22f648e56d7276fa7a4a73438005448c406fb (patch)
treeed775472361aa5b8a78aec9e7a3a642e81480b6f /bfd/peXXigen.c
parent279edac53db8fa6482ee3e305c9627f788fd2699 (diff)
downloadgdb-07d22f648e56d7276fa7a4a73438005448c406fb.zip
gdb-07d22f648e56d7276fa7a4a73438005448c406fb.tar.gz
gdb-07d22f648e56d7276fa7a4a73438005448c406fb.tar.bz2
asan: _bfd_pei_slurp_codeview_record use of uninit value
Fixes some seriously careless code. bfd_bread return value is (bfd_size_type)-1 on error. "if (bfd_bread (...) < 4)" does not check for an error since bfd_size_type is unsigned. In any case, I think we should be reading and checking the requested length. * peXXigen.c (_bfd_XXi_slurp_codeview_record): Properly check return value of bfd_bread. Don't read more than requested length. Sanity check length. Properly terminate file name.
Diffstat (limited to 'bfd/peXXigen.c')
-rw-r--r--bfd/peXXigen.c10
1 files changed, 8 insertions, 2 deletions
diff --git a/bfd/peXXigen.c b/bfd/peXXigen.c
index b3b6808..5149ef5 100644
--- a/bfd/peXXigen.c
+++ b/bfd/peXXigen.c
@@ -1147,15 +1147,21 @@ CODEVIEW_INFO *
_bfd_XXi_slurp_codeview_record (bfd * abfd, file_ptr where, unsigned long length, CODEVIEW_INFO *cvinfo)
{
char buffer[256+1];
+ bfd_size_type nread;
if (bfd_seek (abfd, where, SEEK_SET) != 0)
return NULL;
- if (bfd_bread (buffer, 256, abfd) < 4)
+ if (length <= sizeof (CV_INFO_PDB70) && length <= sizeof (CV_INFO_PDB20))
+ return NULL;
+ if (length > 256)
+ length = 256;
+ nread = bfd_bread (buffer, length, abfd);
+ if (length != nread)
return NULL;
/* Ensure null termination of filename. */
- buffer[256] = '\0';
+ memset (buffer + nread, 0, sizeof (buffer) - nread);
cvinfo->CVSignature = H_GET_32 (abfd, buffer);
cvinfo->Age = 0;