This is the mail archive of the binutils@sourceware.org mailing list for the binutils project.

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]
Other format:	[Raw text]

Re: PATCH: Avoid buffer overflow in decode_arm_unwind

From: John Reiser <jreiser at bitwagon dot com>
To: Binutils <binutils at sourceware dot org>
Cc: "H.J. Lu" <hjl dot tools at gmail dot com>, dan at codesourcery dot com
Date: Thu, 18 Mar 2010 14:04:03 -0700
Subject: Re: PATCH: Avoid buffer overflow in decode_arm_unwind
References: <20100318174728.GA20990@intel.com>

H.J. Lu patched:

diff --git a/binutils/readelf.c b/binutils/readelf.c
index c76fc17..beaf947 100644
--- a/binutils/readelf.c
+++ b/binutils/readelf.c
@@ -6194,10 +6194,10 @@ decode_arm_unwind (struct arm_unw_aux_info *aux,
  	}
        else if (op == 0xb2)
  	{
-	  unsigned char buf[5];
+	  unsigned char buf[9];
  	  unsigned int i, len;
  	  unsigned long offset;
-	  for (i = 0; i<  9; i++)
+	  for (i = 0; i<  sizeof (buf); i++)
  	    {
  	      GET_OP (buf[i]);
  	      if ((buf[i]&  0x80) == 0)

Daniel Jacobowitz commented:

It could as easily have been 5 (it's a 32-bit target), but
either is safe.


True safety demands something such as:
    #define B2BUFSIZE (1+ (6+ 8*sizeof(offset))/7)  /* 7 bits at a time */
      ...
        unsigned char buf[B2BUFSIZE];

--

Follow-Ups:
- Re: PATCH: Avoid buffer overflow in decode_arm_unwind
  - From: Daniel Jacobowitz

References:
- PATCH: Avoid buffer overflow in decode_arm_unwind
  - From: H.J. Lu

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]