This is the mail archive of the
binutils-cvs@sourceware.org
mailing list for the binutils project.
[binutils-gdb] This patch fixes some illegal memory accesses triggered by running coffdump on fuzzed binaries.
- From: Nick Clifton <nickc at sourceware dot org>
- To: bfd-cvs at sourceware dot org
- Date: 21 Jan 2015 10:34:14 -0000
- Subject: [binutils-gdb] This patch fixes some illegal memory accesses triggered by running coffdump on fuzzed binaries.
https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=5b7d62376fc942a803d174789fe4464b26f09a02
commit 5b7d62376fc942a803d174789fe4464b26f09a02
Author: Nick Clifton <nickc@redhat.com>
Date: Wed Jan 21 10:33:19 2015 +0000
This patch fixes some illegal memory accesses triggered by running coffdump on fuzzed binaries.
PR binutils/17512
* coffgrok.c (do_type): Check that computed ref exists.
(doit): Add range checks when computing section for scope.
Diff:
---
binutils/ChangeLog | 6 ++++++
binutils/coffgrok.c | 19 +++++++++++++++----
2 files changed, 21 insertions(+), 4 deletions(-)
diff --git a/binutils/ChangeLog b/binutils/ChangeLog
index 372230e..d25b8b6 100644
--- a/binutils/ChangeLog
+++ b/binutils/ChangeLog
@@ -1,3 +1,9 @@
+2015-01-21 Nick Clifton <nickc@redhat.com>
+
+ PR binutils/17512
+ * coffgrok.c (do_type): Check that computed ref exists.
+ (doit): Add range checks when computing section for scope.
+
2015-01-12 H.J. Lu <hongjiu.lu@intel.com>
* dwarf.c (process_debug_info): Properly check abbrev size.
diff --git a/binutils/coffgrok.c b/binutils/coffgrok.c
index a4c9d54..5dc9558 100644
--- a/binutils/coffgrok.c
+++ b/binutils/coffgrok.c
@@ -476,7 +476,11 @@ do_type (unsigned int i)
/* Referring to a enum defined elsewhere. */
res->type = coff_enumref_type;
res->u.aenumref.ref = tindex[idx];
- res->size = res->u.aenumref.ref->type->size;
+ /* PR 17512: file: b85b67e8. */
+ if (res->u.aenumref.ref)
+ res->size = res->u.aenumref.ref->type->size;
+ else
+ res->size = 0;
}
else
{
@@ -740,7 +744,11 @@ doit (void)
/* PR 17512: file: 0ef7fbaf. */
if (last_function_type)
last_function_type->u.function.code = top_scope;
- top_scope->sec = ofile->sections + sym->n_scnum;
+ /* PR 17512: file: 22908266. */
+ if (sym->n_scnum < ofile->nsections && sym->n_scnum >= 0)
+ top_scope->sec = ofile->sections + sym->n_scnum;
+ else
+ top_scope->sec = NULL;
top_scope->offset = sym->n_value;
}
else
@@ -750,7 +758,6 @@ doit (void)
fatal (_("Function start encountered without a top level scope."));
top_scope->size = sym->n_value - top_scope->offset + 1;
pop_scope ();
-
}
i += sym->n_numaux + 1;
}
@@ -764,7 +771,11 @@ doit (void)
{
/* Block start. */
push_scope (1);
- top_scope->sec = ofile->sections + sym->n_scnum;
+ /* PR 17512: file: af7e8e83. */
+ if (sym->n_scnum < ofile->nsections && sym->n_scnum >= 0)
+ top_scope->sec = ofile->sections + sym->n_scnum;
+ else
+ top_scope->sec = NULL;
top_scope->offset = sym->n_value;
}
else