aboutsummaryrefslogtreecommitdiff
path: root/binutils/readelf.c
diff options
context:
space:
mode:
authorAlan Modra <amodra@gmail.com>2020-07-09 13:18:37 +0930
committerAlan Modra <amodra@gmail.com>2020-07-09 13:50:27 +0930
commite3fdc001d359d6bcd033c1276c772e72d3f49078 (patch)
tree4d5ba4ad06767ad74b0f7f8926e8ab169f1703f7 /binutils/readelf.c
parenta6978338d92a3281c8c45da1a3ef7b4d5f7346e7 (diff)
downloadgdb-e3fdc001d359d6bcd033c1276c772e72d3f49078.zip
gdb-e3fdc001d359d6bcd033c1276c772e72d3f49078.tar.gz
gdb-e3fdc001d359d6bcd033c1276c772e72d3f49078.tar.bz2
asan: readelf: heap buffer overflow in slurp_hppa_unwind_table
This one isn't just a weird corner case requiring multiple .PARISC.unwind sections in an object file to trigger the buffer overflow, it's also a simple bug that would prevent relocations being applied in the normal case of a single .PARISC.unwind section. * readelf (slurp_hppa_unwind_table): Set table_len before use in relocation sanity checks.
Diffstat (limited to 'binutils/readelf.c')
-rw-r--r--binutils/readelf.c3
1 files changed, 1 insertions, 2 deletions
diff --git a/binutils/readelf.c b/binutils/readelf.c
index 41547a2..0feeed9 100644
--- a/binutils/readelf.c
+++ b/binutils/readelf.c
@@ -8253,6 +8253,7 @@ slurp_hppa_unwind_table (Filedata * filedata,
nentries = size / unw_ent_size;
size = unw_ent_size * nentries;
+ aux->table_len = nentries;
tep = aux->table = (struct hppa_unw_table_entry *)
xcmalloc (nentries, sizeof (aux->table[0]));
@@ -8372,8 +8373,6 @@ slurp_hppa_unwind_table (Filedata * filedata,
free (rela);
}
- aux->table_len = nentries;
-
return TRUE;
}