From 5860e3f883597cf6b8a937547015394edc1e8784 Mon Sep 17 00:00:00 2001 From: Nick Clifton Date: Mon, 22 Dec 2014 20:59:00 +0000 Subject: More fixes for memory access violations exposed by fuzzed binaries. PR binutils/17512 * archive.c (do_slurp_bsd_armap): Return if the parsed_size is zero. (bfd_slurp_armap): Zero terminate the name. (bfd_generic_stat_arch_elt): If there is no header, fail. * elf32-arc.c (arc_info_to_howto_rel): Replace BFD_ASSERT with error message. * elf32-avr.c (avr_info_to_howto_rela): Likewise. * elf32-cr16c.c (elf_cr16c_info_to_howto_rel): Likewise. * elf32-cris.c (cris_info_to_howto_rela): Likewise. * elf32-d10v.c (d10v_info_to_howto_rel): Likewise. * elf32-d30v.c (d30v_info_to_howto_rel): Likewise. * elf32-dlx.c (dlx_rtype_to_howto): Likewise. * elf32-epiphany.c (epiphany_info_to_howto_rela): Likewise. * elf32-fr30.c (fr30_info_to_howto_rela): Likewise. * elf32-frv.c (frv_info_to_howto_rela): Likewise. * elf32-i960.c (elf32_i960_info_to_howto_rel): Likewise. * elf32-ip2k.c (ip2k_info_to_howto_rela): Likewise. * elf32-iq2000.c (iq2000_info_to_howto_rela): Likewise. * elf32-lm32.c (lm32_info_to_howto_rela): Likewise. * elf32-m32c.c (m32c_info_to_howto_rela): Likewise. * elf32-m32r.c (m32r_info_to_howto_rel): Likewise. * elf32-m68hc11.c (m68hc11_info_to_howto_rel): Likewise. * elf32-m68hc12.c (m68hc11_info_to_howto_rel): Likewise. * elf32-mep.c (mep_info_to_howto_rela): Likewise. * elf32-metag.c (metag_info_to_howto_rela): Likewise. * elf32-moxie.c (moxie_info_to_howto_rela): Likewise. * elf32-msp430.c (msp430_info_to_howto_rela): Likewise. * elf32-mt.c (mt_info_to_howto_rela): Likewise. * elf32-nds32.c (nds32_info_to_howto_rel): Likewise. * elf32-or1k.c (or1k_info_to_howto_rela): Likewise. * elf32-rl78.c (rl78_info_to_howto_rela): Likewise. * elf32-rx.c (rx_info_to_howto_rela): Likewise. * elf32-v850.c (v850_elf_info_to_howto_rel): Likewise. * elf32-visium.c (visium_info_to_howto_rela): Likewise. * elf32-xgate.c (xgate_info_to_howto_rel): Likewise. * elf32-xtensa.c (elf_xtensa_info_to_howto_rela): Likewise. * elf64-mmix.c (mmix_info_to_howto_rela): Likewise. * elf64-x86-64.c (elf_x86_64_reloc_type_lookup): Likewise. * elfnn-aarch64.c (elfNN_aarch64_bfd_reloc_from_type): Likewise. * elf64-sparc.c (elf64_sparc_slurp_one_reloc_table): Add range checking of reloc symbol index. * mach-o.c (bfd_mach_o_canonicalize_one_reloc): If no symbols have been provided then set the reloc's symbol to undefined. * reloc.c (bfd_generic_get_relocated_section_contents): Add range checking of the reloc to be applied. * versados.c (process_otr): Add more range checks. (versados_canonicalize_reloc): If the section is unknown, set the symbol to undefined. * vms-alpha.c (_bfd_vms_slurp_eisd): Add range checks. (alpha_vms_object_p): Likewise. --- bfd/archive.c | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) (limited to 'bfd/archive.c') diff --git a/bfd/archive.c b/bfd/archive.c index 0ab4f6e..99096c3 100644 --- a/bfd/archive.c +++ b/bfd/archive.c @@ -902,6 +902,9 @@ do_slurp_bsd_armap (bfd *abfd) return FALSE; parsed_size = mapdata->parsed_size; free (mapdata); + /* PR 17512: file: 883ff754. */ + if (parsed_size == 0) + return FALSE; raw_armap = (bfd_byte *) bfd_zalloc (abfd, parsed_size); if (raw_armap == NULL) @@ -917,7 +920,6 @@ do_slurp_bsd_armap (bfd *abfd) } ardata->symdef_count = H_GET_32 (abfd, raw_armap) / BSD_SYMDEF_SIZE; - if (ardata->symdef_count * BSD_SYMDEF_SIZE > parsed_size - BSD_SYMDEF_COUNT_SIZE) { @@ -1138,6 +1140,7 @@ bfd_slurp_armap (bfd *abfd) return FALSE; if (bfd_seek (abfd, -(file_ptr) (sizeof (hdr) + 20), SEEK_CUR) != 0) return FALSE; + extname[20] = 0; if (CONST_STRNEQ (extname, "__.SYMDEF SORTED") || CONST_STRNEQ (extname, "__.SYMDEF")) return do_slurp_bsd_armap (abfd); @@ -1971,7 +1974,9 @@ bfd_generic_stat_arch_elt (bfd *abfd, struct stat *buf) } hdr = arch_hdr (abfd); - + /* PR 17512: file: 3d9e9fe9. */ + if (hdr == NULL) + return -1; #define foo(arelt, stelt, size) \ buf->stelt = strtol (hdr->arelt, &aloser, size); \ if (aloser == hdr->arelt) \ -- cgit v1.1