diff options
-rw-r--r-- | gprof/ChangeLog | 7 | ||||
-rw-r--r-- | gprof/corefile.c | 20 |
2 files changed, 12 insertions, 15 deletions
diff --git a/gprof/ChangeLog b/gprof/ChangeLog index e5afbf6..176a8f9 100644 --- a/gprof/ChangeLog +++ b/gprof/ChangeLog @@ -2,10 +2,9 @@ PR gprof/20499 * corefile.c (num_of_syms_in): Return an unsigned int. - (core_create_syms_from): Catch a possible integer overflow - computing the argument to xmalloc. Also allow for the possibility - that an integer overflow in num_of_syms_in means that less space - has been allocated than expected. + Fail if the count exceeds the maximum possible allocatable size. + (core_create_syms_from): Exit early if num_of_syms_in returns a + failure code. 2016-08-23 Nick Clifton <nickc@redhat.com> diff --git a/gprof/corefile.c b/gprof/corefile.c index e165da2..87de7bc 100644 --- a/gprof/corefile.c +++ b/gprof/corefile.c @@ -28,6 +28,7 @@ #include "hist.h" #include "corefile.h" #include "safe-ctype.h" +#include <limits.h> /* For UINT_MAX. */ bfd *core_bfd; static int core_num_syms; @@ -500,7 +501,11 @@ num_of_syms_in (FILE * f) { if (sscanf (buf, "%" STR_BUFSIZE "s %c %" STR_BUFSIZE "s", address, &type, name) == 3) if (type == 't' || type == 'T') - ++num; + { + /* PR 20499 - prevent integer overflow computing argument to xmalloc. */ + if (++num >= UINT_MAX / sizeof (Sym)) + return -1U; + } } return num; @@ -531,11 +536,10 @@ core_create_syms_from (const char * sym_table_file) fprintf (stderr, _("%s: file `%s' has no symbols\n"), whoami, sym_table_file); done (1); } - /* PR 20499 - prevent integer overflow computing argument to xmalloc. */ - else if ((symtab.len * (unsigned) sizeof (Sym)) < symtab.len) + else if (symtab.len == -1U) { - fprintf (stderr, _("%s: file `%s' has too many symbols: %u\n"), - whoami, sym_table_file, symtab.len); + fprintf (stderr, _("%s: file `%s' has too many symbols\n"), + whoami, sym_table_file); done (1); } @@ -571,12 +575,6 @@ core_create_syms_from (const char * sym_table_file) max_vma = MAX (symtab.limit->addr, max_vma); ++symtab.limit; - /* PR 20499 - it is theoretically possible that there are so many - symbols in the file that the scan in num_of_syms_in() wrapped - around. So be paranoid here and exit the loop if we have - reached the end of our allocated table. */ - if ((unsigned int)(symtab.limit - symtab.base) == symtab.len) - break; } fclose (f); |