This is the mail archive of the
binutils-cvs@sourceware.org
mailing list for the binutils project.
[binutils-gdb] Fix buffer read overrun by ensuring that DWARF sections containing strings always end in a NUL byte.
- From: Nick Clifton <nickc at sourceware dot org>
- To: bfd-cvs at sourceware dot org
- Date: 31 Aug 2017 16:04:13 -0000
- Subject: [binutils-gdb] Fix buffer read overrun by ensuring that DWARF sections containing strings always end in a NUL byte.
https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=e4f2723003859dc6b33ca0dadbc4a7659ebf1643
commit e4f2723003859dc6b33ca0dadbc4a7659ebf1643
Author: Nick Clifton <nickc@redhat.com>
Date: Thu Aug 31 17:03:23 2017 +0100
Fix buffer read overrun by ensuring that DWARF sections containing strings always end in a NUL byte.
PR 22047
* dwarf2.c (read_section): If necessary add a terminating NUL byte
to dwarf string sections.
Diff:
---
bfd/ChangeLog | 6 ++++++
bfd/dwarf2.c | 23 +++++++++++++++++++++++
2 files changed, 29 insertions(+)
diff --git a/bfd/ChangeLog b/bfd/ChangeLog
index 1a3cc51..368b558 100644
--- a/bfd/ChangeLog
+++ b/bfd/ChangeLog
@@ -1,3 +1,9 @@
+2017-08-31 Nick Clifton <nickc@redhat.com>
+
+ PR 22047
+ * dwarf2.c (read_section): If necessary add a terminating NUL byte
+ to dwarf string sections.
+
2017-08-31 Alan Modra <amodra@gmail.com>
* po/SRC-POTFILES.in: Regenerate.
diff --git a/bfd/dwarf2.c b/bfd/dwarf2.c
index 22d6d56..40a187a 100644
--- a/bfd/dwarf2.c
+++ b/bfd/dwarf2.c
@@ -566,6 +566,29 @@ read_section (bfd * abfd,
0, *section_size))
return FALSE;
}
+
+ /* Paranoia - if we are reading in a string section, make sure that it
+ is NUL terminated. This is to prevent string functions from running
+ off the end of the buffer. Note - knowing the size of the buffer is
+ not enough as some functions, eg strchr, do not have a range limited
+ equivalent.
+
+ FIXME: We ought to use a flag in the dwarf_debug_sections[] table to
+ determine the nature of a debug section, rather than checking the
+ section name as we do here. */
+ if (*section_size > 0
+ && (*section_buffer)[*section_size - 1] != 0
+ && (strstr (section_name, "_str") || strstr (section_name, "names")))
+ {
+ bfd_byte * new_buffer = malloc (*section_size + 1);
+
+ _bfd_error_handler (_("warning: dwarf string section '%s' is not NUL terminated"),
+ section_name);
+ memcpy (new_buffer, *section_buffer, *section_size);
+ new_buffer[*section_size] = 0;
+ free (*section_buffer);
+ *section_buffer = new_buffer;
+ }
}
/* It is possible to get a bad value for the offset into the section