This is the mail archive of the
binutils@sourceware.org
mailing list for the binutils project.
Fix nm potential buffer overflow
- From: Alan Modra <amodra at gmail dot com>
- To: binutils at sourceware dot org
- Date: Mon, 26 Sep 2016 18:20:59 +0930
- Subject: Fix nm potential buffer overflow
- Authentication-results: sourceware.org; auth=none
get_coff_symbol_type had a potenial buffer overflow even with
untranslated messages, warned by current gcc. I was going to fix this
by increasing the buffer size but that solution fails when we have an
unexpectedly large translation.
* nm.c (get_elf_symbol_type): Don't use sprintf with translated
strings, use asprintf instead.
(get_coff_symbol_type): Likewise.
diff --git a/binutils/nm.c b/binutils/nm.c
index 40e5053..1fdfae1 100644
--- a/binutils/nm.c
+++ b/binutils/nm.c
@@ -342,7 +342,8 @@ set_output_format (char *f)
static const char *
get_elf_symbol_type (unsigned int type)
{
- static char buff [32];
+ static char *bufp;
+ int n;
switch (type)
{
@@ -353,21 +354,25 @@ get_elf_symbol_type (unsigned int type)
case STT_FILE: return "FILE";
case STT_COMMON: return "COMMON";
case STT_TLS: return "TLS";
- default:
- if (type >= STT_LOPROC && type <= STT_HIPROC)
- sprintf (buff, _("<processor specific>: %d"), type);
- else if (type >= STT_LOOS && type <= STT_HIOS)
- sprintf (buff, _("<OS specific>: %d"), type);
- else
- sprintf (buff, _("<unknown>: %d"), type);
- return buff;
}
+
+ free (bufp);
+ if (type >= STT_LOPROC && type <= STT_HIPROC)
+ n = asprintf (&bufp, _("<processor specific>: %d"), type);
+ else if (type >= STT_LOOS && type <= STT_HIOS)
+ n = asprintf (&bufp, _("<OS specific>: %d"), type);
+ else
+ n = asprintf (&bufp, _("<unknown>: %d"), type);
+ if (n < 0)
+ fatal ("%s", xstrerror (errno));
+ return bufp;
}
static const char *
get_coff_symbol_type (const struct internal_syment *sym)
{
- static char buff [32];
+ static char *bufp;
+ int n;
switch (sym->n_sclass)
{
@@ -378,16 +383,19 @@ get_coff_symbol_type (const struct internal_syment *sym)
if (!sym->n_type)
return "None";
-
+
switch (DTYPE(sym->n_type))
{
case DT_FCN: return "Function";
case DT_PTR: return "Pointer";
case DT_ARY: return "Array";
}
-
- sprintf (buff, _("<unknown>: %d/%d"), sym->n_sclass, sym->n_type);
- return buff;
+
+ free (bufp);
+ n = asprintf (&bufp, _("<unknown>: %d/%d"), sym->n_sclass, sym->n_type);
+ if (n < 0)
+ fatal ("%s", xstrerror (errno));
+ return bufp;
}
/* Print symbol name NAME, read from ABFD, with printf format FORM,
--
Alan Modra
Australia Development Lab, IBM