This is the mail archive of the binutils-cvs@sourceware.org mailing list for the binutils project.

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]
Other format:	[Raw text]

[binutils-gdb] Fix shift overflow when parsing an overlarge note value.

From: Nick Clifton <nickc at sourceware dot org>
To: bfd-cvs at sourceware dot org
Date: 21 Apr 2017 11:32:29 -0000
Subject: [binutils-gdb] Fix shift overflow when parsing an overlarge note value.

https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=ddef72cdc10d82ba011a7ff81cafbbd3466acf54

commit ddef72cdc10d82ba011a7ff81cafbbd3466acf54
Author: Nick Clifton <nickc@redhat.com>
Date:   Fri Apr 21 12:31:59 2017 +0100

    Fix shift overflow when parsing an overlarge note value.
    
    	PR binutils/21378
    	* readelf.c (print_gnu_build_attribute_name): Check for an
    	overlarge name field.

Diff:
---
 binutils/ChangeLog |  6 ++++++
 binutils/readelf.c | 20 ++++++++++++++------
 2 files changed, 20 insertions(+), 6 deletions(-)

diff --git a/binutils/ChangeLog b/binutils/ChangeLog
index 5f75c17..e833b05 100644
--- a/binutils/ChangeLog
+++ b/binutils/ChangeLog
@@ -1,3 +1,9 @@
+2017-04-21  Nick Clifton  <nickc@redhat.com>
+
+	PR binutils/21378
+	* readelf.c (print_gnu_build_attribute_name): Check for an
+	overlarge name field.
+
 2017-04-13  Nick Clifton  <nickc@redhat.com>
 
 	PR binutils/21379
diff --git a/binutils/readelf.c b/binutils/readelf.c
index ab53473..e575667 100644
--- a/binutils/readelf.c
+++ b/binutils/readelf.c
@@ -16948,10 +16948,18 @@ print_gnu_build_attribute_name (Elf_Internal_Note * pnote)
     {
     case GNU_BUILD_ATTRIBUTE_TYPE_NUMERIC:
       {
-	unsigned int   bytes = pnote->namesz - (name - pnote->namedata);
-	unsigned long  val = 0;
-	unsigned int   shift = 0;
-	char *         decoded = NULL;
+	unsigned int        bytes = pnote->namesz - (name - pnote->namedata);
+	unsigned long long  val = 0;
+	unsigned int        shift = 0;
+	char *              decoded = NULL;
+
+	/* PR 21378 */
+	if (bytes > sizeof (val))
+	  {
+	    error (_("corrupt name field: namesz of %lu is too large for a numeric value\n"),
+		   pnote->namesz);
+	    return FALSE;
+	  }
 
 	while (bytes --)
 	  {
@@ -16995,9 +17003,9 @@ print_gnu_build_attribute_name (Elf_Internal_Note * pnote)
 	else
 	  {
 	    if (do_wide)
-	      left -= printf ("0x%lx", val);
+	      left -= printf ("0x%llx", val);
 	    else
-	      left -= printf ("0x%-.*lx", left, val);
+	      left -= printf ("0x%-.*llx", left, val);
 	  }
       }
       break;

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]