This is the mail archive of the
binutils@sourceware.org
mailing list for the binutils project.
Re: [patch] null ptr in srec_get_section_contents
- From: Alan Modra <amodra at bigpond dot net dot au>
- To: msnyder at sonic dot net
- Cc: binutils at sourceware dot org
- Date: Thu, 26 Jul 2007 22:04:45 +0930
- Subject: Re: [patch] null ptr in srec_get_section_contents
- References: <17078.12.7.175.2.1185404760.squirrel@webmail.sonic.net>
On Wed, Jul 25, 2007 at 04:06:00PM -0700, msnyder@sonic.net wrote:
> Nothing to be done if section->size is zero, and we'll die on memcpy
> if the ptr is null.
Hmm, your patch doesn't make this function any worse, but really we
should be checking for nonsense input params, which will cover the
section->size == 0 case.
* srec.c (srec_get_section_contents): Return immediately on
count zero. Check that offset and count are within section.
* libbfd.c (_bfd_generic_get_section_contents): Check that
offset + count does not overflow.
Index: bfd/srec.c
===================================================================
RCS file: /cvs/src/src/bfd/srec.c,v
retrieving revision 1.43
diff -u -p -r1.43 srec.c
--- bfd/srec.c 26 Jul 2007 11:13:59 -0000 1.43
+++ bfd/srec.c 26 Jul 2007 12:18:09 -0000
@@ -781,10 +781,20 @@ srec_get_section_contents (bfd *abfd,
file_ptr offset,
bfd_size_type count)
{
+ if (count == 0)
+ return TRUE;
+
+ if (offset + count < count
+ || offset + count > section->size)
+ {
+ bfd_set_error (bfd_error_invalid_operation);
+ return FALSE;
+ }
+
if (section->used_by_bfd == NULL)
{
section->used_by_bfd = bfd_alloc (abfd, section->size);
- if (section->used_by_bfd == NULL && section->size != 0)
+ if (section->used_by_bfd == NULL)
return FALSE;
if (! srec_read_section (abfd, section, section->used_by_bfd))
Index: bfd/libbfd.c
===================================================================
RCS file: /cvs/src/src/bfd/libbfd.c,v
retrieving revision 1.47
diff -u -p -r1.47 libbfd.c
--- bfd/libbfd.c 3 Jul 2007 14:26:42 -0000 1.47
+++ bfd/libbfd.c 26 Jul 2007 12:31:51 -0000
@@ -820,7 +820,8 @@ _bfd_generic_get_section_contents (bfd *
return TRUE;
sz = section->rawsize ? section->rawsize : section->size;
- if (offset + count > sz)
+ if (offset + count < count
+ || offset + count > sz)
{
bfd_set_error (bfd_error_invalid_operation);
return FALSE;
--
Alan Modra
Australia Development Lab, IBM