This is the mail archive of the
binutils@sources.redhat.com
mailing list for the binutils project.
Re: buffer overflow with ar
On Thu, Jul 07, 2005 at 06:09:43PM +0200, Ralf Corsepius wrote:
> On Thu, 2005-07-07 at 12:44 +0100, Nick Clifton wrote:
> > Hi Ralf,
> >
> > > When trying to use a cross-ar from vanilla binutils-2.16 or
> > > binutils-2.16.1 on FC4, I am observing this
> > >
> > > # arm-rtems4.7-ar rc ./libgcc.a libgcc/./_udivsi3.o
> > > *** buffer overflow detected ***: arm-rtems4.7-ar terminated
> >
> > > /lib/libc.so.6(__sprintf_chk+0x30)[0x1eee24]
> > > arm-rtems4.7-ar[0x804f5f6]
>
> > Can you run this under a debugger and find out which call to sprintf is
> > overflowing, and what the parameters are ?
>
> The sprintf in bfd/archive.c:2071 (binutils-2.16.1) is the culprit:
>
> 2069 memset (&hdr, 0, sizeof (struct ar_hdr));
> 2070 hdr.ar_name[0] = '/';
> 2071 sprintf (hdr.ar_size, "%-10d", (int) mapsize);
> 2072 sprintf (hdr.ar_date, "%ld", (long) time (NULL));
> 2073 /* This, at least, is what Intel coff sets the values to. */
> 2074 sprintf ((hdr.ar_uid), "%d", 0);
> 2075 sprintf ((hdr.ar_gid), "%d", 0);
> 2076 sprintf ((hdr.ar_mode), "%-7o", (unsigned) 0);
> 2077 strncpy (hdr.ar_fmag, ARFMAG, 2);
See http://sources.redhat.com/ml/binutils/2005-03/msg00180.html
Jakub