aboutsummaryrefslogtreecommitdiff
path: root/binutils
diff options
context:
space:
mode:
authorNick Clifton <nickc@redhat.com>2015-01-08 13:52:42 +0000
committerNick Clifton <nickc@redhat.com>2015-01-08 13:52:42 +0000
commit848cde35d61874521ad6c88a50f983d5ee7d2307 (patch)
treec744f90c3d70c0af5464c379b61da68dbd5daad1 /binutils
parent2279a12a44ede7a0a6d7375d90d33676fa8771ad (diff)
downloadgdb-848cde35d61874521ad6c88a50f983d5ee7d2307.zip
gdb-848cde35d61874521ad6c88a50f983d5ee7d2307.tar.gz
gdb-848cde35d61874521ad6c88a50f983d5ee7d2307.tar.bz2
Fix memory access violations triggered by running sysdump on fuzzed binaries.
PR binutils/17512 * sysdump.c (getINT): Fail if reading off the end of the buffer. Replace call to abort with a call to fatal. (getCHARS): Prevetn reading off the end of the buffer.
Diffstat (limited to 'binutils')
-rw-r--r--binutils/ChangeLog4
-rw-r--r--binutils/sysdump.c14
2 files changed, 16 insertions, 2 deletions
diff --git a/binutils/ChangeLog b/binutils/ChangeLog
index cfad0f7..d6c3070 100644
--- a/binutils/ChangeLog
+++ b/binutils/ChangeLog
@@ -1,6 +1,10 @@
2015-01-08 Nick Clifton <nickc@redhat.com>
PR binutils/17512
+ * sysdump.c (getINT): Fail if reading off the end of the buffer.
+ Replace call to abort with a call to fatal.
+ (getCHARS): Prevetn reading off the end of the buffer.
+
* nlmconv.c (i386_mangle_relocs): Skip relocs without an
associated symbol.
(powerpc_mangle_relocs): Skip unrecognised relocs. Check address
diff --git a/binutils/sysdump.c b/binutils/sysdump.c
index 37dd162..ac350e1 100644
--- a/binutils/sysdump.c
+++ b/binutils/sysdump.c
@@ -66,6 +66,9 @@ getCHARS (unsigned char *ptr, int *idx, int size, int max)
if (b == 0)
{
+ /* PR 17512: file: 13caced2. */
+ if (oc >= max)
+ return _("*corrupt*");
/* Got to work out the length of the string from self. */
b = ptr[oc++];
(*idx) += 8;
@@ -166,7 +169,12 @@ getINT (unsigned char *ptr, int *idx, int size, int max)
int byte = *idx / 8;
if (byte >= max)
- return 0;
+ {
+ /* PR 17512: file: id:000001,src:000002,op:flip1,pos:45. */
+ /* Prevent infinite loops re-reading beyond the end of the buffer. */
+ fatal (_("ICE: getINT: Out of buffer space"));
+ return 0;
+ }
if (size == -2)
size = addrsize;
@@ -188,7 +196,7 @@ getINT (unsigned char *ptr, int *idx, int size, int max)
n = (ptr[byte + 0] << 24) + (ptr[byte + 1] << 16) + (ptr[byte + 2] << 8) + (ptr[byte + 3]);
break;
default:
- abort ();
+ fatal (_("Unsupported read size: %d"), size);
}
*idx += size * 8;
@@ -615,6 +623,8 @@ module (void)
do
{
c = getc (file);
+ if (c == EOF)
+ break;
ungetc (c, file);
c &= 0x7f;