diff options
author | Alan Modra <amodra@gmail.com> | 2021-11-01 00:20:01 +1030 |
---|---|---|
committer | Alan Modra <amodra@gmail.com> | 2021-11-01 22:30:33 +1030 |
commit | c27cdb4c534e0b52ea877b6800f832756ee16a2f (patch) | |
tree | 3fd83f8cef38b521a12115be882cdbebbf713f12 /binutils | |
parent | 3197e593d8a2a79a23dc9155d18d7aff6281da14 (diff) | |
download | gdb-c27cdb4c534e0b52ea877b6800f832756ee16a2f.zip gdb-c27cdb4c534e0b52ea877b6800f832756ee16a2f.tar.gz gdb-c27cdb4c534e0b52ea877b6800f832756ee16a2f.tar.bz2 |
objcopy buffer overflow
"tocopy" in this code was an int, which when the size to be copied was
larger than MAXINT could result in tocopy being negative. A negative
value of course is less than BUFSIZE, but when converted to
bfd_size_type is extremely large.
PR 995
* objcopy.c (copy_unknown_object): Correct calculation of "tocopy".
Use better variable types.
Diffstat (limited to 'binutils')
-rw-r--r-- | binutils/objcopy.c | 21 |
1 files changed, 9 insertions, 12 deletions
diff --git a/binutils/objcopy.c b/binutils/objcopy.c index 0e7400f..e0d52d1 100644 --- a/binutils/objcopy.c +++ b/binutils/objcopy.c @@ -1894,9 +1894,8 @@ static bool copy_unknown_object (bfd *ibfd, bfd *obfd) { char *cbuf; - int tocopy; - long ncopied; - long size; + bfd_size_type tocopy; + off_t size; struct stat buf; if (bfd_stat_arch_elt (ibfd, &buf) != 0) @@ -1924,30 +1923,28 @@ copy_unknown_object (bfd *ibfd, bfd *obfd) bfd_get_archive_filename (ibfd), bfd_get_filename (obfd)); cbuf = (char *) xmalloc (BUFSIZE); - ncopied = 0; - while (ncopied < size) + while (size != 0) { - tocopy = size - ncopied; - if (tocopy > BUFSIZE) + if (size > BUFSIZE) tocopy = BUFSIZE; + else + tocopy = size; - if (bfd_bread (cbuf, (bfd_size_type) tocopy, ibfd) - != (bfd_size_type) tocopy) + if (bfd_bread (cbuf, tocopy, ibfd) != tocopy) { bfd_nonfatal_message (NULL, ibfd, NULL, NULL); free (cbuf); return false; } - if (bfd_bwrite (cbuf, (bfd_size_type) tocopy, obfd) - != (bfd_size_type) tocopy) + if (bfd_bwrite (cbuf, tocopy, obfd) != tocopy) { bfd_nonfatal_message (NULL, obfd, NULL, NULL); free (cbuf); return false; } - ncopied += tocopy; + size -= tocopy; } /* We should at least to be able to read it back when copying an |