This is the mail archive of the binutils@sources.redhat.com mailing list for the binutils project.


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]
Other format: [Raw text]

[PATCH] memcmp() error in gas/dwarf2dbg.c


Hi,

there is a possible memory overflow in gas/dwarf3dbg.c: get_filenum():375

	if (memcmp (filename, dirs[dir], dir_len) == 0
	    && dirs[dir][dir_len] == '\0')

dir_len is set to strlen(filename), which will overflow onto unallocated memory if strlen(filename) > strlen(dirs[dir]).
The attached patch fixes this.


Please keep me cc'ed as I'm not on this list.

Cheers,

Hannes
--
Dr. Hannes Reinecke			hare@suse.de
SuSE Linux AG				S390 & zSeries
Maxfeldstraße 5				+49 911 74053 688
90409 Nürnberg				http://www.suse.de
--- binutils-2.14.90.0.8/gas/dwarf2dbg..c.orig	2004-02-13 11:55:05.470239719 +0100
+++ binutils-2.14.90.0.8/gas/dwarf2dbg.c	2004-02-13 11:57:23.679576129 +0100
@@ -339,7 +339,7 @@ get_filenum (const char *filename, unsig
 {
   static unsigned int last_used, last_used_dir_len;
   const char *file;
-  size_t dir_len;
+  size_t dir_len, tmp_len;
   unsigned int i, dir;
 
   if (num == 0 && last_used)
@@ -372,8 +372,9 @@ get_filenum (const char *filename, unsig
     {
       --dir_len;
       for (dir = 1; dir < dirs_in_use; ++dir)
-	if (memcmp (filename, dirs[dir], dir_len) == 0
-	    && dirs[dir][dir_len] == '\0')
+	tmp_len = strlen(dirs[dir]) < dir_len?strlen(dirs[dir]):dir_len;
+	if (memcmp (filename, dirs[dir], tmp_len) == 0
+	    && dirs[dir][tmp_len] == '\0')
 	  break;
 
       if (dir >= dirs_in_use)

Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]