diff options
| author | Nick Clifton <nickc@redhat.com> | 2014-11-18 14:40:05 +0000 |
|---|---|---|
| committer | Nick Clifton <nickc@redhat.com> | 2014-11-18 14:40:05 +0000 |
| commit | 6937bb54a9c3ddc7ba330bc18af76f8dbe856ac3 (patch) | |
| tree | ef3620d4de908919f540cbb095a7f9f62da9d72c /bfd | |
| parent | de84aee38c50fd306876cdbf92007afaacbfab4d (diff) | |
| download | gdb-6937bb54a9c3ddc7ba330bc18af76f8dbe856ac3.zip gdb-6937bb54a9c3ddc7ba330bc18af76f8dbe856ac3.tar.gz gdb-6937bb54a9c3ddc7ba330bc18af76f8dbe856ac3.tar.bz2 | |
More fixes for illegal memory accesses exposed by fuzzed binaries.
PR binutils/17512
* peXXIgen.c (pe_print_pdata): Fail if the section's virtual size
is larger than its real size.
(rsrc_print_section): Fix off-by-one error checking for overflow.
* pei-x86_64.c (pex64_bfd_print_pdata): Handle empty unwind
sections.
* dwarf.c (get_encoded_value): Warn and return if the encoded
value is more than 64-bits long.
(SAFE_BYTE_GET): Do not attempt to read more than 64-bits.
(process_extended_line_op): Add more range checks.
(decode_location_expression): Use the return value from
display_block. Add more range checks.
(read_debug_line_header): Add range check.
(display_debug_lines_raw): Add range checks.
(display_debug_frames): Silently skip multiple zero terminators.
Add range checks.
(process_cu_tu_index): Check for non-existant or empty sections.
Use SAFE_BYTE_GET instead of byte_get.
Diffstat (limited to 'bfd')
| -rw-r--r-- | bfd/ChangeLog | 9 | ||||
| -rw-r--r-- | bfd/peXXigen.c | 10 | ||||
| -rw-r--r-- | bfd/pei-x86_64.c | 7 |
3 files changed, 25 insertions, 1 deletions
diff --git a/bfd/ChangeLog b/bfd/ChangeLog index f8ca71b..f606e15 100644 --- a/bfd/ChangeLog +++ b/bfd/ChangeLog @@ -1,3 +1,12 @@ +2014-11-18 Nick Clifton <nickc@redhat.com> + + PR binutils/17512 + * peXXIgen.c (pe_print_pdata): Fail if the section's virtual size + is larger than its real size. + (rsrc_print_section): Fix off-by-one error checking for overflow. + * pei-x86_64.c (pex64_bfd_print_pdata): Handle empty unwind + sections. + 2014-11-18 Igor Zamyatin <igor.zamyatin@intel.com> * elf64-x86-64.c (elf_x86_64_check_relocs): Enable MPX PLT only diff --git a/bfd/peXXigen.c b/bfd/peXXigen.c index 13e39e4..b163a1e 100644 --- a/bfd/peXXigen.c +++ b/bfd/peXXigen.c @@ -1890,6 +1890,14 @@ pe_print_pdata (bfd * abfd, void * vfile) if (datasize == 0) return TRUE; + /* PR 17512: file: 002-193900-0.004. */ + if (datasize < stop) + { + fprintf (file, _("Virtual size of .pdata section (%ld) larger than real size (%ld)\n"), + (long) stop, (long) datasize); + return FALSE; + } + if (! bfd_malloc_and_get_section (abfd, section, &data)) { if (data != NULL) @@ -2526,7 +2534,7 @@ rsrc_print_section (bfd * abfd, void * vfile) /* If the extra data is all zeros then do not complain. This is just padding so that the section meets the page size requirements. */ - while (data ++ < regions.section_end) + while (++ data < regions.section_end) if (*data != 0) break; if (data < regions.section_end) diff --git a/bfd/pei-x86_64.c b/bfd/pei-x86_64.c index 48554d3..11ee73a 100644 --- a/bfd/pei-x86_64.c +++ b/bfd/pei-x86_64.c @@ -464,6 +464,12 @@ pex64_bfd_print_pdata (bfd *abfd, void *vfile) return TRUE; stop = pei_section_data (abfd, pdata_section)->virt_size; + /* PR 17512: file: 005-181405-0.004. */ + if (stop == 0 || pdata_section->size == 0) + { + fprintf (file, _("No unwind data in .pdata section\n")); + return TRUE; + } if ((stop % onaline) != 0) fprintf (file, _("warning: .pdata section size (%ld) is not a multiple of %d\n"), @@ -490,6 +496,7 @@ pex64_bfd_print_pdata (bfd *abfd, void *vfile) if (i + PDATA_ROW_SIZE > stop) break; + pex64_get_runtime_function (abfd, &rf, &pdata[i]); if (rf.rva_BeginAddress == 0 && rf.rva_EndAddress == 0 |