This is the mail archive of the binutils-cvs@sourceware.org mailing list for the binutils project.

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]
Other format:	[Raw text]

[binutils-gdb] Fix seg-faults in objdump when disassembling a corrupt versados binary.

From: Nick Clifton <nickc at sourceware dot org>
To: bfd-cvs at sourceware dot org
Date: 14 Jun 2017 09:35:48 -0000
Subject: [binutils-gdb] Fix seg-faults in objdump when disassembling a corrupt versados binary.

https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=04f963fd489cae724a60140e13984415c205f4ac

commit 04f963fd489cae724a60140e13984415c205f4ac
Author: Nick Clifton <nickc@redhat.com>
Date:   Wed Jun 14 10:35:16 2017 +0100

    Fix seg-faults in objdump when disassembling a corrupt versados binary.
    
    	PR binutils/21591
    	* versados.c (versados_mkobject): Zero the allocated tdata structure.
    	(process_otr): Check for an invalid offset in the otr structure.

Diff:
---
 bfd/ChangeLog  |  6 ++++++
 bfd/versados.c | 12 ++++++++----
 2 files changed, 14 insertions(+), 4 deletions(-)

diff --git a/bfd/ChangeLog b/bfd/ChangeLog
index 67fd18a..a035ab5 100644
--- a/bfd/ChangeLog
+++ b/bfd/ChangeLog
@@ -1,3 +1,9 @@
+2017-06-14  Nick Clifton  <nickc@redhat.com>
+
+	PR binutils/21591
+	* versados.c (versados_mkobject): Zero the allocated tdata structure.
+	(process_otr): Check for an invalid offset in the otr structure.
+
 2017-06-14  Sebastian Huber  <sebastian.huber@embedded-brains.de>
 
 	* config.bfd (epiphany-*-elf): Accept epiphany-*-*.
diff --git a/bfd/versados.c b/bfd/versados.c
index 2efbcff..f0c5fdf 100644
--- a/bfd/versados.c
+++ b/bfd/versados.c
@@ -149,7 +149,7 @@ versados_mkobject (bfd *abfd)
   if (abfd->tdata.versados_data == NULL)
     {
       bfd_size_type amt = sizeof (tdata_type);
-      tdata_type *tdata = bfd_alloc (abfd, amt);
+      tdata_type *tdata = bfd_zalloc (abfd, amt);
 
       if (tdata == NULL)
 	return FALSE;
@@ -345,13 +345,13 @@ reloc_howto_type versados_howto_table[] =
 };
 
 static int
-get_offset (int len, unsigned char *ptr)
+get_offset (unsigned int len, unsigned char *ptr)
 {
   int val = 0;
 
   if (len)
     {
-      int i;
+      unsigned int i;
 
       val = *ptr++;
       if (val & 0x80)
@@ -394,9 +394,13 @@ process_otr (bfd *abfd, struct ext_otr *otr, int pass)
 	  int flag = *srcp++;
 	  int esdids = (flag >> 5) & 0x7;
 	  int sizeinwords = ((flag >> 3) & 1) ? 2 : 1;
-	  int offsetlen = flag & 0x7;
+	  unsigned int offsetlen = flag & 0x7;
 	  int j;
 
+	  /* PR 21591: Check for invalid lengths.  */
+	  if (srcp + esdids + offsetlen >= endp)
+	    return;
+
 	  if (esdids == 0)
 	    {
 	      /* A zero esdid means the new pc is the offset given.  */

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]