diff options
author | Nick Clifton <nickc@redhat.com> | 2017-04-21 12:31:59 +0100 |
---|---|---|
committer | Nick Clifton <nickc@redhat.com> | 2017-04-21 12:31:59 +0100 |
commit | ddef72cdc10d82ba011a7ff81cafbbd3466acf54 (patch) | |
tree | 473a2711bc2dab62369ce3cd889c89d3ea1a0a1a /binutils/readelf.c | |
parent | 792f174f8af4291c222d0a6de919118e488258bc (diff) | |
download | gdb-ddef72cdc10d82ba011a7ff81cafbbd3466acf54.zip gdb-ddef72cdc10d82ba011a7ff81cafbbd3466acf54.tar.gz gdb-ddef72cdc10d82ba011a7ff81cafbbd3466acf54.tar.bz2 |
Fix shift overflow when parsing an overlarge note value.
PR binutils/21378
* readelf.c (print_gnu_build_attribute_name): Check for an
overlarge name field.
Diffstat (limited to 'binutils/readelf.c')
-rw-r--r-- | binutils/readelf.c | 20 |
1 files changed, 14 insertions, 6 deletions
diff --git a/binutils/readelf.c b/binutils/readelf.c index ab53473..e575667 100644 --- a/binutils/readelf.c +++ b/binutils/readelf.c @@ -16948,10 +16948,18 @@ print_gnu_build_attribute_name (Elf_Internal_Note * pnote) { case GNU_BUILD_ATTRIBUTE_TYPE_NUMERIC: { - unsigned int bytes = pnote->namesz - (name - pnote->namedata); - unsigned long val = 0; - unsigned int shift = 0; - char * decoded = NULL; + unsigned int bytes = pnote->namesz - (name - pnote->namedata); + unsigned long long val = 0; + unsigned int shift = 0; + char * decoded = NULL; + + /* PR 21378 */ + if (bytes > sizeof (val)) + { + error (_("corrupt name field: namesz of %lu is too large for a numeric value\n"), + pnote->namesz); + return FALSE; + } while (bytes --) { @@ -16995,9 +17003,9 @@ print_gnu_build_attribute_name (Elf_Internal_Note * pnote) else { if (do_wide) - left -= printf ("0x%lx", val); + left -= printf ("0x%llx", val); else - left -= printf ("0x%-.*lx", left, val); + left -= printf ("0x%-.*llx", left, val); } } break; |