This is the mail archive of the
binutils-cvs@sourceware.org
mailing list for the binutils project.
[binutils-gdb] Fixes memory access violations triggered by running dlltool on fuzzed binaries.
- From: Nick Clifton <nickc at sourceware dot org>
- To: bfd-cvs at sourceware dot org
- Date: 22 Jan 2015 12:07:02 -0000
- Subject: [binutils-gdb] Fixes memory access violations triggered by running dlltool on fuzzed binaries.
https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=4e5cb37e7f3403d5398a323566ff9c995f0c9a81
commit 4e5cb37e7f3403d5398a323566ff9c995f0c9a81
Author: Nick Clifton <nickc@redhat.com>
Date: Thu Jan 22 12:06:04 2015 +0000
Fixes memory access violations triggered by running dlltool on fuzzed binaries.
PR binutils/17512
* coffcode.h (handle_COMDAT): When searching for the section
symbol, make sure that there is space left in the symbol table.
* vms-alpha.c (_bfd_vms_slurp_ehdr): Add range checks.
Diff:
---
bfd/ChangeLog | 7 +++++++
bfd/coffcode.h | 7 +++++++
bfd/vms-alpha.c | 18 ++++++++++++++++++
3 files changed, 32 insertions(+)
diff --git a/bfd/ChangeLog b/bfd/ChangeLog
index ceb77ff..bd2f0c1 100644
--- a/bfd/ChangeLog
+++ b/bfd/ChangeLog
@@ -1,3 +1,10 @@
+2015-01-22 Nick Clifton <nickc@redhat.com>
+
+ PR binutils/17512
+ * coffcode.h (handle_COMDAT): When searching for the section
+ symbol, make sure that there is space left in the symbol table.
+ * vms-alpha.c (_bfd_vms_slurp_ehdr): Add range checks.
+
2015-01-21 Nick Clifton <nickc@redhat.com>
PR binutils/17512
diff --git a/bfd/coffcode.h b/bfd/coffcode.h
index 181f9af..76e5873 100644
--- a/bfd/coffcode.h
+++ b/bfd/coffcode.h
@@ -1009,6 +1009,13 @@ handle_COMDAT (bfd * abfd,
seen_state = 1;
+ /* PR 17512: file: e2cfe54f. */
+ if (esym + bfd_coff_symesz (abfd) >= esymend)
+ {
+ _bfd_error_handler (_("%B: warning: No symbol for section '%s' found"),
+ abfd, symname);
+ break;
+ }
/* This is the section symbol. */
bfd_coff_swap_aux_in (abfd, (esym + bfd_coff_symesz (abfd)),
isym.n_type, isym.n_sclass,
diff --git a/bfd/vms-alpha.c b/bfd/vms-alpha.c
index faddf7c..9576607 100644
--- a/bfd/vms-alpha.c
+++ b/bfd/vms-alpha.c
@@ -859,9 +859,12 @@ _bfd_vms_slurp_ehdr (bfd *abfd)
{
unsigned char *ptr;
unsigned char *vms_rec;
+ unsigned char *end;
int subtype;
vms_rec = PRIV (recrd.rec);
+ /* PR 17512: file: 62736583. */
+ end = PRIV (recrd.buf) + PRIV (recrd.buf_size);
vms_debug2 ((2, "HDR/EMH\n"));
@@ -873,28 +876,42 @@ _bfd_vms_slurp_ehdr (bfd *abfd)
{
case EMH__C_MHD:
/* Module header. */
+ if (vms_rec + 21 >= end)
+ goto fail;
PRIV (hdr_data).hdr_b_strlvl = vms_rec[6];
PRIV (hdr_data).hdr_l_arch1 = bfd_getl32 (vms_rec + 8);
PRIV (hdr_data).hdr_l_arch2 = bfd_getl32 (vms_rec + 12);
PRIV (hdr_data).hdr_l_recsiz = bfd_getl32 (vms_rec + 16);
+ if ((vms_rec + 20 + vms_rec[20] + 1) >= end)
+ goto fail;
PRIV (hdr_data).hdr_t_name = _bfd_vms_save_counted_string (vms_rec + 20);
ptr = vms_rec + 20 + vms_rec[20] + 1;
+ if ((ptr + *ptr + 1) >= end)
+ goto fail;
PRIV (hdr_data).hdr_t_version =_bfd_vms_save_counted_string (ptr);
ptr += *ptr + 1;
+ if (ptr + 17 >= end)
+ goto fail;
PRIV (hdr_data).hdr_t_date = _bfd_vms_save_sized_string (ptr, 17);
break;
case EMH__C_LNM:
+ if (vms_rec + PRIV (recrd.rec_size - 6) > end)
+ goto fail;
PRIV (hdr_data).hdr_c_lnm =
_bfd_vms_save_sized_string (vms_rec, PRIV (recrd.rec_size - 6));
break;
case EMH__C_SRC:
+ if (vms_rec + PRIV (recrd.rec_size - 6) > end)
+ goto fail;
PRIV (hdr_data).hdr_c_src =
_bfd_vms_save_sized_string (vms_rec, PRIV (recrd.rec_size - 6));
break;
case EMH__C_TTL:
+ if (vms_rec + PRIV (recrd.rec_size - 6) > end)
+ goto fail;
PRIV (hdr_data).hdr_c_ttl =
_bfd_vms_save_sized_string (vms_rec, PRIV (recrd.rec_size - 6));
break;
@@ -905,6 +922,7 @@ _bfd_vms_slurp_ehdr (bfd *abfd)
break;
default:
+ fail:
bfd_set_error (bfd_error_wrong_format);
return FALSE;
}