Created attachment 9511 [details] The problem file I fuzzed a file and came up with 'crash.exe' which segfaults when passed to 'objdump -x' using the latest build I could find: GNU objdump (GNU Binutils) 2.27.51.20160913 Here's a log of running gdb with it: $ gdb ~/checkout/binutils-gdb/binutils/objdump GNU gdb (Ubuntu 7.11.1-0ubuntu1~16.04) 7.11.1 ... Reading symbols from /home/grifball/checkout/binutils-gdb/binutils/objdump...done. (gdb) set args -x crash.exe (gdb) r Starting program: /home/grifball/checkout/binutils-gdb/binutils/objdump -x crash.exe Program received signal SIGSEGV, Segmentation fault. bfd_getl32 (p=0x85a000) at libbfd.c:552 552 return v; (gdb) where #0 bfd_getl32 (p=0x85a000) at libbfd.c:552 #1 0x00000000004acaea in _bfd_pei_swap_debugdir_in (abfd=abfd@entry=0x83a1c0, ext1=0x85a000, in1=in1@entry=0x7fffffffcfa0) at peigen.c:1116 #2 0x00000000004a89dc in pe_bfd_read_buildid (abfd=0x83a1c0) at peicode.h:1342 #3 pe_bfd_object_p (abfd=0x83a1c0) at peicode.h:1486 #4 0x000000000044913d in bfd_check_format_matches (abfd=abfd@entry=0x83a1c0, format=format@entry=bfd_object, matching=matching@entry=0x7fffffffded0) at format.c:308 #5 0x0000000000408888 in display_object_bfd (abfd=0x83a1c0) at ./objdump.c:3461 #6 display_any_bfd (file=file@entry=0x83a1c0, level=level@entry=0) at ./objdump.c:3552 #7 0x000000000040a9a3 in display_file (filename=0x7fffffffe2f0 "crash.exe", target=<optimized out>) at ./objdump.c:3573 #8 0x0000000000404cca in main (argc=3, argv=0x7fffffffe078) at ./objdump.c:3856 (gdb) I built objdump from the git repo here: git://sourceware.org/git/binutils-gdb.git by cd'ing into "./binutils/" then running "./configure" and "make objdump" I created the offending exe following a tutorial: https://fuzzing-project.org/tutorial1.html and found that this will create the exe (after you've downloaded the win9x.exe from the site): zzuf -r 0.004 -s 16915 < win9x.exe > crash.exe Let me know if you have any question or want me to run any tests. I used zzuf version 0.15 to fuzz it.
The master branch has been updated by Nick Clifton <nickc@sourceware.org>: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=e6d042fe27102cb789407ccb2ec1663aa9c65129 commit e6d042fe27102cb789407ccb2ec1663aa9c65129 Author: Nick Clifton <nickc@redhat.com> Date: Wed Sep 14 15:32:01 2016 +0100 Fix seg-fault in objdump when run on a fuzzed PE binary. PR binutils/20605 * peicode.h (pe_bfd_read_buildid): Check that the Data Directory contains a valid size for the Debug directory.
Hi Scott, Thanks for reporting this bug. I have checked in a patch to fix the problem. If you find any more bugs, please feel free to open a new PR. Or, if you find problems with my solution to this problem, please feel free to reopen this PR. Cheers Nick
Hi Nick, I double checked your solution to make sure that it fixed the problem. Looks like it's working. It's putting the error you added into stderr when I run the same test that segfaulted before. Thanks, -Scott