This is the mail archive of the binutils-cvs@sourceware.org mailing list for the binutils project.


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]
Other format: [Raw text]

[binutils-gdb] Fix nm potential buffer overflow


https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=7358f4cbaf3c6fafbbbc9703a5e2884470643bfa

commit 7358f4cbaf3c6fafbbbc9703a5e2884470643bfa
Author: Alan Modra <amodra@gmail.com>
Date:   Mon Sep 26 17:55:08 2016 +0930

    Fix nm potential buffer overflow
    
    get_coff_symbol_type had a potenial buffer overflow even with
    untranslated messages.
    
    	* nm.c (get_elf_symbol_type): Don't use sprintf with translated
    	strings, use asprintf instead.
    	(get_coff_symbol_type): Likewise.

Diff:
---
 binutils/ChangeLog |  6 ++++++
 binutils/nm.c      | 36 ++++++++++++++++++++++--------------
 2 files changed, 28 insertions(+), 14 deletions(-)

diff --git a/binutils/ChangeLog b/binutils/ChangeLog
index 1b86161..edb8cd6 100644
--- a/binutils/ChangeLog
+++ b/binutils/ChangeLog
@@ -1,3 +1,9 @@
+2016-09-26  Alan Modra  <amodra@gmail.com>
+
+	* nm.c (get_elf_symbol_type): Don't use sprintf with translated
+	strings, use asprintf instead.
+	(get_coff_symbol_type): Likewise.
+
 2016-09-19  Alan Modra  <amodra@gmail.com>
 
 	* nm.c (print_symbol): Remove is_synthetic param.  Test sym->flags
diff --git a/binutils/nm.c b/binutils/nm.c
index 40e5053..1fdfae1 100644
--- a/binutils/nm.c
+++ b/binutils/nm.c
@@ -342,7 +342,8 @@ set_output_format (char *f)
 static const char *
 get_elf_symbol_type (unsigned int type)
 {
-  static char buff [32];
+  static char *bufp;
+  int n;
 
   switch (type)
     {
@@ -353,21 +354,25 @@ get_elf_symbol_type (unsigned int type)
     case STT_FILE:     return "FILE";
     case STT_COMMON:   return "COMMON";
     case STT_TLS:      return "TLS";
-    default:
-      if (type >= STT_LOPROC && type <= STT_HIPROC)
-	sprintf (buff, _("<processor specific>: %d"), type);
-      else if (type >= STT_LOOS && type <= STT_HIOS)
-	sprintf (buff, _("<OS specific>: %d"), type);
-      else
-	sprintf (buff, _("<unknown>: %d"), type);
-      return buff;
     }
+
+  free (bufp);
+  if (type >= STT_LOPROC && type <= STT_HIPROC)
+    n = asprintf (&bufp, _("<processor specific>: %d"), type);
+  else if (type >= STT_LOOS && type <= STT_HIOS)
+    n = asprintf (&bufp, _("<OS specific>: %d"), type);
+  else
+    n = asprintf (&bufp, _("<unknown>: %d"), type);
+  if (n < 0)
+    fatal ("%s", xstrerror (errno));
+  return bufp;
 }
 
 static const char *
 get_coff_symbol_type (const struct internal_syment *sym)
 {
-  static char buff [32];
+  static char *bufp;
+  int n;
 
   switch (sym->n_sclass)
     {
@@ -378,16 +383,19 @@ get_coff_symbol_type (const struct internal_syment *sym)
 
   if (!sym->n_type)
     return "None";
-    
+
   switch (DTYPE(sym->n_type))
     {
     case DT_FCN: return "Function";
     case DT_PTR: return "Pointer";
     case DT_ARY: return "Array";
     }
-  
-  sprintf (buff, _("<unknown>: %d/%d"), sym->n_sclass, sym->n_type);
-  return buff;
+
+  free (bufp);
+  n = asprintf (&bufp, _("<unknown>: %d/%d"), sym->n_sclass, sym->n_type);
+  if (n < 0)
+    fatal ("%s", xstrerror (errno));
+  return bufp;
 }
 
 /* Print symbol name NAME, read from ABFD, with printf format FORM,


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]