This is the mail archive of the
binutils-cvs@sourceware.org
mailing list for the binutils project.
[binutils-gdb] Fixes a resource exhaustion problem when running windres on a corrupt binary.
- From: Nick Clifton <nickc at sourceware dot org>
- To: bfd-cvs at sourceware dot org
- Date: 26 Feb 2015 12:24:03 -0000
- Subject: [binutils-gdb] Fixes a resource exhaustion problem when running windres on a corrupt binary.
https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=e3ee40059d4a4e04d10e2b5c46bacd2a810355ca
commit e3ee40059d4a4e04d10e2b5c46bacd2a810355ca
Author: Nick Clifton <nickc@redhat.com>
Date: Thu Feb 26 12:23:18 2015 +0000
Fixes a resource exhaustion problem when running windres on a corrupt binary.
PR binutils/17512
* resrc.c (write_rc_messagetable): Tighten check for invalid
message lengths.
Diff:
---
binutils/ChangeLog | 6 ++++++
binutils/resrc.c | 18 ++++++++++++------
2 files changed, 18 insertions(+), 6 deletions(-)
diff --git a/binutils/ChangeLog b/binutils/ChangeLog
index 2d70760..8657b1d 100644
--- a/binutils/ChangeLog
+++ b/binutils/ChangeLog
@@ -1,3 +1,9 @@
+2015-02-26 Nick Clifton <nickc@redhat.com>
+
+ PR binutils/17512
+ * resrc.c (write_rc_messagetable): Tighten check for invalid
+ message lengths.
+
2015-02-26 Terry Guo <terry.guo@arm.com>
* readelf.c (arm_attr_tag_ABI_HardFP_use): Update how we
diff --git a/binutils/resrc.c b/binutils/resrc.c
index f0cacd1..b4edba9 100644
--- a/binutils/resrc.c
+++ b/binutils/resrc.c
@@ -2923,6 +2923,7 @@ write_rc_messagetable (FILE *e, rc_uint_type length, const bfd_byte *data)
{
int has_error = 0;
const struct bin_messagetable *mt;
+
fprintf (e, "BEGIN\n");
write_rc_datablock (e, length, data, 0, 0, 0);
@@ -2952,6 +2953,7 @@ write_rc_messagetable (FILE *e, rc_uint_type length, const bfd_byte *data)
low = windres_get_32 (&wrtarget, mt->items[i].lowid, 4);
high = windres_get_32 (&wrtarget, mt->items[i].highid, 4);
offset = windres_get_32 (&wrtarget, mt->items[i].offset, 4);
+
while (low <= high)
{
rc_uint_type elen, flags;
@@ -2971,16 +2973,20 @@ write_rc_messagetable (FILE *e, rc_uint_type length, const bfd_byte *data)
wr_printcomment (e, "MessageId = 0x%x", low);
wr_printcomment (e, "");
- /* PR 17512: file: 5c3232dc. */
- if (elen)
+ if ((flags & MESSAGE_RESOURCE_UNICODE) == MESSAGE_RESOURCE_UNICODE)
{
- if ((flags & MESSAGE_RESOURCE_UNICODE) == MESSAGE_RESOURCE_UNICODE)
+ /* PR 17512: file: 5c3232dc. */
+ if (elen > BIN_MESSAGETABLE_ITEM_SIZE * 2)
unicode_print (e, (const unichar *) mti->data,
(elen - BIN_MESSAGETABLE_ITEM_SIZE) / 2);
- else
+ }
+ else
+ {
+ if (elen > BIN_MESSAGETABLE_ITEM_SIZE)
ascii_print (e, (const char *) mti->data,
(elen - BIN_MESSAGETABLE_ITEM_SIZE));
}
+
wr_printcomment (e,"");
++low;
offset += elen;
@@ -3005,7 +3011,7 @@ write_rc_datablock (FILE *e, rc_uint_type length, const bfd_byte *data, int has_
fprintf (e, "BEGIN\n");
if (show_comment == -1)
- {
+ {
if (test_rc_datablock_text(length, data))
{
rc_uint_type i, c;
@@ -3018,7 +3024,7 @@ write_rc_datablock (FILE *e, rc_uint_type length, const bfd_byte *data, int has_
;
if (i < length && data[i] == '\n')
++i, ++c;
- ascii_print (e, (const char *) &data[i - c], c);
+ ascii_print(e, (const char *) &data[i - c], c);
fprintf (e, "\"");
if (i < length)
fprintf (e, "\n");