Bug 17605 - ar crashes on malformed archive
Summary: ar crashes on malformed archive
Alias: None
Product: binutils
Classification: Unclassified
Component: binutils (show other bugs)
Version: 2.26
: P2 normal
Target Milestone: ---
Assignee: Not yet assigned to anyone
Depends on:
Reported: 2014-11-16 15:16 UTC by Alexander Cherepanov
Modified: 2014-11-18 17:38 UTC (History)
1 user (show)

See Also:
Last reconfirmed:

Check for ctime() returning NULL (403 bytes, patch)
2014-11-18 17:37 UTC, Nick Clifton
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Alexander Cherepanov 2014-11-16 15:16:25 UTC

$ printf '!<arch>\n%16s%-32s%-10s`\n' '' 100000000000000000 0 > test.a
$ ar tv test.a
Segmentation fault

It crashes inside binutils-gdb/binutils/bucomm.c:

   424        if (bfd_stat_arch_elt (abfd, &buf) == 0)
   425          {
   426            char modebuf[11];
   427            char timebuf[40];
   428            time_t when = buf.st_mtime;
   429            const char *ctime_result = (const char *) ctime (&when);
   430            bfd_size_type size;
   432            /* POSIX format:  skip weekday and seconds from ctime output.  */
   433            sprintf (timebuf, "%.12s %.4s", ctime_result + 4, ctime_result + 20);

'when' is too big, 'ctime' returns 0, which gets derefenced inside sprintf.

Seems not to be exploitable.

Found with American Fuzzy Lop.
Comment 1 cvs-commit@gcc.gnu.org 2014-11-18 17:36:58 UTC
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "gdb and binutils".

The branch, master has been updated
       via  0593bd3ace3cb64775f4d9e8039da919c26803cd (commit)
      from  8435453b810d8ab0574e509446003d10d04abfd4 (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------

commit 0593bd3ace3cb64775f4d9e8039da919c26803cd
Author: Nick Clifton <nickc@redhat.com>
Date:   Tue Nov 18 17:35:39 2014 +0000

    Fixes a seg-fault when displaying the time data for a corrupt archive.
    	PR binutuls/17605
    	* bucomm.c (print_arelt_descr): Check for ctime returning NULL.


Summary of changes:
 binutils/ChangeLog |    5 +++++
 binutils/bucomm.c  |    8 ++++++--
 2 files changed, 11 insertions(+), 2 deletions(-)
Comment 2 Nick Clifton 2014-11-18 17:37:07 UTC
Created attachment 7946 [details]
Check for ctime() returning NULL
Comment 3 Nick Clifton 2014-11-18 17:38:00 UTC
Hi Alexander,

  Thanks for the bug report.  I have applied a patch (also uploaded here) to the master sources which should fix this problem.  Please give it a try.