From 0a9d414aa114b7b7e609cbcbc285f79031bbe608 Mon Sep 17 00:00:00 2001 From: Nick Clifton Date: Fri, 21 Nov 2014 21:44:04 +0000 Subject: Fixes for memory access violations exposed by fuzzinf various binaries. PR binutils/17512 * dwarf.c (get_encoded_value): Check for an encoded size of 0. (display_debug_lines_raw): Check for an invalid line range value. (display_debug_frames): Check for corrupt augmentation data. * coffgen.c (coff_get_normalized_symtab): Check for an excessive number of auxillary entries. * ieee.c (next_byte): Convert to a function. Return FALSE if the next byte is beyond the end of the buffer. (parse_int): Test the return value of next_byte. (parse_expression): Convert to boolean. Return FALSE if the parsing failed. Test the return value of next_byte. (ieee_seek): Convert to a function. Return FALSE if the seek goes beyond the end of the buffer. (ieee_slurp_external_symbols): Test the return value of ieee_seek and next_byte. (ieee_slurp_sections): Convert to boolean. Return FALSE if the operation failed. Test the return value of ieee_seek and next_byte. (ieee_archive_p): Test the return value of ieee_seek and next_byte. (do_one): Likewise. (ieee_slurp_section_data): Likewise. (ieee_object_p): Likewise. Store the size of the buffer in the total_amt field in the header. * libieee.h (common_header_type): Add amt field. * mach-o.c (bfd_mach_o_canonicalize_one_reloc): Check that the reloc's value is within range. (bfd_mach_o_read_symtab_symbols): Nullify the symbols field if the operation fails. * pei-x86_64.c (pex64_xdata_print_uwd_codes): Replace abort with an error message. (pex64_dump_xdata): Check for buffer overflows. * versados.c (process_otr): Check that the section exists before taking its size. (versados_object_p): Make sure that enough data was read for the header to be checked. * vms-alpha.c (vms_get_remaining_object_record): Change read_so_far parameter to an unsigned int. Check that the amount read is in range. --- bfd/mach-o.c | 22 ++++++++++++++-------- 1 file changed, 14 insertions(+), 8 deletions(-) (limited to 'bfd/mach-o.c') diff --git a/bfd/mach-o.c b/bfd/mach-o.c index 3952689..c13fff3 100644 --- a/bfd/mach-o.c +++ b/bfd/mach-o.c @@ -1363,9 +1363,11 @@ bfd_mach_o_canonicalize_one_reloc (bfd *abfd, } else { + /* PR 17512: file: 006-2964-0.004. */ + if (num >= mdata->nsects) + return -1; + /* A section number. */ - BFD_ASSERT (num <= mdata->nsects); - sym = mdata->sections[num - 1]->bfdsection->symbol_ptr_ptr; /* For a symbol defined in section S, the addend (stored in the binary) contains the address of the section. To comply with @@ -3660,10 +3662,8 @@ bfd_mach_o_read_symtab_symbols (bfd *abfd) unsigned long i; if (sym == NULL || sym->symbols) - { - /* Return now if there are no symbols or if already loaded. */ - return TRUE; - } + /* Return now if there are no symbols or if already loaded. */ + return TRUE; sym->symbols = bfd_alloc (abfd, sym->nsyms * sizeof (bfd_mach_o_asymbol)); @@ -3674,12 +3674,18 @@ bfd_mach_o_read_symtab_symbols (bfd *abfd) } if (!bfd_mach_o_read_symtab_strtab (abfd)) - return FALSE; + { + sym->symbols = NULL; + return FALSE; + } for (i = 0; i < sym->nsyms; i++) { if (!bfd_mach_o_read_symtab_symbol (abfd, sym, &sym->symbols[i], i)) - return FALSE; + { + sym->symbols = NULL; + return FALSE; + } } return TRUE; -- cgit v1.1