diff options
author | Nick Clifton <nickc@redhat.com> | 2014-11-05 17:57:54 +0000 |
---|---|---|
committer | Nick Clifton <nickc@redhat.com> | 2014-11-05 17:57:54 +0000 |
commit | a6f921c87700c2349cf6fa35fbc8ec9d3e3fb88e (patch) | |
tree | 909d407430c567e518224fff061fee9657081c83 /bfd | |
parent | 74e1a04b9787c02ba0fa9b93e3dae691bb44ed96 (diff) | |
download | gdb-a6f921c87700c2349cf6fa35fbc8ec9d3e3fb88e.zip gdb-a6f921c87700c2349cf6fa35fbc8ec9d3e3fb88e.tar.gz gdb-a6f921c87700c2349cf6fa35fbc8ec9d3e3fb88e.tar.bz2 |
More fixes for memory problems uncovered by file fuzzers.
PR binutils/17512
* coffcode.h (handle_COMDAT): Replace abort with BFD_ASSERT.
Replace another abort with an error message.
(coff_slurp_line_table): Add more range checking.
* peXXigen.c (pe_print_debugdata): Add range checking.
Diffstat (limited to 'bfd')
-rw-r--r-- | bfd/ChangeLog | 8 | ||||
-rw-r--r-- | bfd/coffcode.h | 21 | ||||
-rw-r--r-- | bfd/peXXigen.c | 6 |
3 files changed, 28 insertions, 7 deletions
diff --git a/bfd/ChangeLog b/bfd/ChangeLog index 721db9b..16724b3 100644 --- a/bfd/ChangeLog +++ b/bfd/ChangeLog @@ -1,3 +1,11 @@ +2014-11-04 Nick Clifton <nickc@redhat.com> + + PR binutils/17512 + * coffcode.h (handle_COMDAT): Replace abort with BFD_ASSERT. + Replace another abort with an error message. + (coff_slurp_line_table): Add more range checking. + * peXXigen.c (pe_print_debugdata): Add range checking. + 2014-11-05 James Cowgill <james.cowgill@imgtec.com> * elfxx-mips.c (_bfd_mips_elf_finish_dynamic_sections): Fix segfault diff --git a/bfd/coffcode.h b/bfd/coffcode.h index ab76083..1ca28b8 100644 --- a/bfd/coffcode.h +++ b/bfd/coffcode.h @@ -928,12 +928,7 @@ handle_COMDAT (bfd * abfd, bfd_coff_swap_sym_in (abfd, esym, & isym); - if (sizeof (internal_s->s_name) > SYMNMLEN) - { - /* This case implies that the matching - symbol name will be in the string table. */ - abort (); - } + BFD_ASSERT (sizeof (internal_s->s_name) <= SYMNMLEN); if (isym.n_scnum == section->target_index) { @@ -964,8 +959,12 @@ handle_COMDAT (bfd * abfd, /* All 3 branches use this. */ symname = _bfd_coff_internal_syment_name (abfd, &isym, buf); + /* PR 17512 file: 078-11867-0.004 */ if (symname == NULL) - abort (); + { + _bfd_error_handler (_("%B: unable to load COMDAT section name"), abfd); + break; + } switch (seen_state) { @@ -4578,6 +4577,13 @@ coff_slurp_line_table (bfd *abfd, asection *asect) sym = ((coff_symbol_type *) ((symndx + obj_raw_syments (abfd)) ->u.syment._n._n_n._n_zeroes)); + + /* PR 17512 file: 078-10659-0.004 */ + if (sym < obj_symbols (abfd) + || sym > obj_symbols (abfd) + + obj_raw_syment_count (abfd) * sizeof (coff_symbol_type)) + sym = NULL; + cache_ptr->u.sym = (asymbol *) sym; if (sym == NULL) continue; @@ -4599,6 +4605,7 @@ coff_slurp_line_table (bfd *abfd, asection *asect) cache_ptr++; src++; } + cache_ptr->line_number = 0; bfd_release (abfd, native_lineno); diff --git a/bfd/peXXigen.c b/bfd/peXXigen.c index d031430..25f7273 100644 --- a/bfd/peXXigen.c +++ b/bfd/peXXigen.c @@ -2573,6 +2573,12 @@ pe_print_debugdata (bfd * abfd, void * vfile) dataoff = addr - section->vma; + if (size > (section->size - dataoff)) + { + fprintf (file, _("The debug data size field in the data directory is too big for the section")); + return FALSE; + } + fprintf (file, _("Type Size Rva Offset\n")); |