diff options
author | Alan Modra <amodra@gmail.com> | 2020-01-14 10:45:41 +1030 |
---|---|---|
committer | Alan Modra <amodra@gmail.com> | 2020-01-14 11:02:37 +1030 |
commit | ef4e5ba50c76511d4306edf1526c15269f1d7747 (patch) | |
tree | 271d3f426614b1941f954ab6181e8db0a9f0649a /bfd/som.c | |
parent | 8ab484c23b9f3533fcd942e95887383786331f06 (diff) | |
download | gdb-ef4e5ba50c76511d4306edf1526c15269f1d7747.zip gdb-ef4e5ba50c76511d4306edf1526c15269f1d7747.tar.gz gdb-ef4e5ba50c76511d4306edf1526c15269f1d7747.tar.bz2 |
som: Don't loop forever reading symbol chains
* som.c (som_bfd_count_ar_symbols): Error when file position
of symbols on chains is not strictly increasing.
Diffstat (limited to 'bfd/som.c')
-rw-r--r-- | bfd/som.c | 13 |
1 files changed, 11 insertions, 2 deletions
@@ -5892,8 +5892,8 @@ som_bfd_count_ar_symbols (bfd *abfd, /* Don't forget to initialize the counter! */ *count = 0; - /* Read in the hash table. The has table is an array of 32bit file offsets - which point to the hash chains. */ + /* Read in the hash table. The hash table is an array of 32-bit + file offsets which point to the hash chains. */ amt = (bfd_size_type) lst_header->hash_size * 4; if (bfd_bread ((void *) hash_table, amt, abfd) != amt) goto error_return; @@ -5928,6 +5928,15 @@ som_bfd_count_ar_symbols (bfd *abfd, if (next_entry == 0) break; + /* Assume symbols on a chain are in increasing file offset + order. Otherwise we can loop here with fuzzed input. */ + if (next_entry < hash_val + sizeof (ext_lst_symbol)) + { + bfd_set_error (bfd_error_bad_value); + goto error_return; + } + hash_val = next_entry; + /* Seek to the next symbol. */ if (bfd_seek (abfd, lst_filepos + next_entry, SEEK_SET) != 0) goto error_return; |