From 0b97e818464a42305c8243a980a5c13967554fd9 Mon Sep 17 00:00:00 2001 From: Alan Modra Date: Wed, 5 Aug 2020 10:03:00 +0930 Subject: PR26337, Malloc size error in objdump A malloc failure triggered by a fuzzed object file isn't a real problem unless objdump doesn't exit cleanly after the failure, which it does. However we have bfd_malloc_and_get_section to sanity check size of uncompressed sections before allocating memory. Use it. PR 26337 * objdump.c (load_specific_debug_section): Don't malloc space for section contents, use bfd_malloc_and_get_section. --- binutils/ChangeLog | 6 ++++++ binutils/objdump.c | 7 +++---- 2 files changed, 9 insertions(+), 4 deletions(-) diff --git a/binutils/ChangeLog b/binutils/ChangeLog index acd04df..a924ae2 100644 --- a/binutils/ChangeLog +++ b/binutils/ChangeLog @@ -1,3 +1,9 @@ +2020-08-05 Alan Modra + + PR 26337 + * objdump.c (load_specific_debug_section): Don't malloc space for + section contents, use bfd_malloc_and_get_section. + 2020-07-30 Rainer Orth * Makefile.am (AM_CPPFLAGS): Add LARGEFILE_CPPFLAGS. diff --git a/binutils/objdump.c b/binutils/objdump.c index 79ef051..1b48cd3 100644 --- a/binutils/objdump.c +++ b/binutils/objdump.c @@ -3545,6 +3545,7 @@ load_specific_debug_section (enum dwarf_section_display_enum debug, if (streq (section->filename, bfd_get_filename (abfd))) return TRUE; free (section->start); + section->start = NULL; } section->filename = bfd_get_filename (abfd); @@ -3557,22 +3558,20 @@ load_specific_debug_section (enum dwarf_section_display_enum debug, alloced = amt = section->size + 1; if (alloced != amt || alloced == 0) { - section->start = NULL; free_debug_section (debug); printf (_("\nSection '%s' has an invalid size: %#llx.\n"), sanitize_string (section->name), (unsigned long long) section->size); return FALSE; } - section->start = contents = malloc (alloced); - if (section->start == NULL - || !bfd_get_full_section_contents (abfd, sec, &contents)) + if (!bfd_malloc_and_get_section (abfd, sec, &contents)) { free_debug_section (debug); printf (_("\nCan't get contents for section '%s'.\n"), sanitize_string (section->name)); return FALSE; } + section->start = contents; /* Ensure any string section has a terminating NUL. */ section->start[section->size] = 0; -- cgit v1.1