Bug 5788 - Linker memory corruption
Summary: Linker memory corruption
Status: RESOLVED FIXED
Alias: None
Product: binutils
Classification: Unclassified
Component: ld (show other bugs)
Version: 2.19
: P1 critical
Target Milestone: ---
Assignee: unassigned
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2008-02-22 23:31 UTC by H.J. Lu
Modified: 2008-02-23 00:03 UTC (History)
2 users (show)

See Also:
Host:
Target:
Build:
Last reconfirmed:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description H.J. Lu 2008-02-22 23:31:03 UTC 
This patch

http://sourceware.org/ml/binutils/2007-02/msg00006.html

causes a serious memory corruption in linker. There are 2 problems in
elf_create_symbuf:

  ssymbuf = bfd_malloc ((shndx_count + 1) * sizeof (*ssymbuf)
                        + (indbufend - indbuf) * sizeof (*ssymbuf));
  if (ssymbuf == NULL) 
    {
      free (indbuf);
      return NULL; 
    }

  ssym = (struct elf_symbuf_symbol *) (ssymbuf + shndx_count);
  ssymbuf->ssym = NULL; 
  ssymbuf->count = shndx_count;
  ssymbuf->st_shndx = 0;

1. Only one combined buffer is allocated for both ssymbuf and ssym.
But it is wrong to assume that size of ssym is the same as ssymbuf.
2. There are shndx_count + 1 entries in ssymbuf. ssym should
start at ssymbuf + shndx_count + 1, not ssymbuf + shndx_count
since the first entry is for shndx_count.
Comment 1 H.J. Lu 2008-02-22 23:58:24 UTC 
A patch is posted at

http://sourceware.org/ml/binutils/2008-02/msg00228.html
Comment 2 H.J. Lu 2008-02-23 00:03:40 UTC 
Fixed.
Comment 3 H.J. Lu 2008-02-23 00:03:53 UTC 
Yes, fixed.