diff options
author | Yuriy M. Kaminskiy <yumkam@gmail.com> | 2015-08-04 16:51:53 +0100 |
---|---|---|
committer | Nick Clifton <nickc@redhat.com> | 2015-08-04 16:51:53 +0100 |
commit | 7e27a9d5f22f9f7ead11738b1546d0b5c737266b (patch) | |
tree | 46bffdfecd821e8f439790cab4da495658777807 /bfd | |
parent | 4e13f8fb05eb7ffd163d96e519cc011d8d21e3d7 (diff) | |
download | gdb-7e27a9d5f22f9f7ead11738b1546d0b5c737266b.zip gdb-7e27a9d5f22f9f7ead11738b1546d0b5c737266b.tar.gz gdb-7e27a9d5f22f9f7ead11738b1546d0b5c737266b.tar.bz2 |
Fix stack buffer overflows when parsing corrupt ihex files.
PR binutils/18750
* ihex.c (ihex_scan): Fixes incorrect escape sequence in error message
and stack overflow when char is signed and \200-\376 was in place of hex
digit; also fixes \377 was handled as EOF instead of "incorrect character".
(ihex_read_section): Changed for consistency.
(ihex_bad_byte): Prevent (now impossible to trigger) stack
overflow and incorrect escape sequence handling.
* srec.c (srec_bad_byte): Likewise.
* readelf.c (process_mips_specific): Fix incorrect escape
sequence handling.
Diffstat (limited to 'bfd')
-rw-r--r-- | bfd/ChangeLog | 12 | ||||
-rw-r--r-- | bfd/ihex.c | 6 | ||||
-rw-r--r-- | bfd/srec.c | 2 |
3 files changed, 16 insertions, 4 deletions
diff --git a/bfd/ChangeLog b/bfd/ChangeLog index 986299d..a8b3646 100644 --- a/bfd/ChangeLog +++ b/bfd/ChangeLog @@ -1,3 +1,15 @@ +2015-08-04 Yuriy M. Kaminskiy" <yumkam@gmail.com> + Tyler Hicks <tyhicks@canonical.com> + + PR binutils/18750 + * ihex.c (ihex_scan): Fixes incorrect escape sequence in error message + and stack overflow when char is signed and \200-\376 was in place of hex + digit; also fixes \377 was handled as EOF instead of "incorrect character". + (ihex_read_section): Changed for consistency. + (ihex_bad_byte): Prevent (now impossible to trigger) stack + overflow and incorrect escape sequence handling. + * srec.c (srec_bad_byte): Likewise. + 2015-08-03 Hans-Peter Nilsson <hp@axis.com> * elf32-cris.c (cris_elf_relocate_section) @@ -219,7 +219,7 @@ ihex_bad_byte (bfd *abfd, unsigned int lineno, int c, bfd_boolean error) char buf[10]; if (! ISPRINT (c)) - sprintf (buf, "\\%03o", (unsigned int) c); + sprintf (buf, "\\%03o", (unsigned int) c & 0xff); else { buf[0] = c; @@ -276,7 +276,7 @@ ihex_scan (bfd *abfd) else { file_ptr pos; - char hdr[8]; + unsigned char hdr[8]; unsigned int i; unsigned int len; bfd_vma addr; @@ -553,7 +553,7 @@ ihex_read_section (bfd *abfd, asection *section, bfd_byte *contents) error = FALSE; while ((c = ihex_get_byte (abfd, &error)) != EOF) { - char hdr[8]; + unsigned char hdr[8]; unsigned int len; unsigned int type; unsigned int i; @@ -249,7 +249,7 @@ srec_bad_byte (bfd *abfd, char buf[40]; if (! ISPRINT (c)) - sprintf (buf, "\\%03o", (unsigned int) c); + sprintf (buf, "\\%03o", (unsigned int) c & 0xff); else { buf[0] = c; |