Created attachment 10758 [details] input that cause objcopy to segfault objcopy segfault on the given input files. # ------------ # Cmdline: $ objcopy /tmp/objcopy_crash.input Segmentation fault # ------------ # gdb output Program received signal SIGSEGV, Segmentation fault. 0x00000000004ea2f9 in coff_mangle_symbols (bfd_ptr=0x7a92f0) at ../../bfd/coffgen.c:843 843 a->u.auxent.x_sym.x_tagndx.p->offset; (gdb) where #0 0x00000000004ea2f9 in coff_mangle_symbols (bfd_ptr=0x7a92f0) at ../../bfd/coffgen.c:843 #1 0x00000000004d3c7d in coff_write_object_contents (abfd=0x7a92f0) at ../../bfd/coffcode.h:4231 #2 0x0000000000441c80 in bfd_close (abfd=0x7a92f0) at ../../bfd/opncls.c:731 #3 0x00000000004091cb in copy_file (input_filename=0x7fffffffe82a "/tmp/objcopy_crash.input", output_filename=0x7a5f00 "/tmp/st2DszA7", input_target=0x0, output_target=0x55aad7 "pei-i386", input_arch=0x0) at ../../binutils/objcopy.c:3530 #4 0x000000000040d017 in copy_main (argc=2, argv=0x7fffffffe5b8) at ../../binutils/objcopy.c:5478 #5 0x000000000040d363 in main (argc=2, argv=0x7fffffffe5b8) at ../../binutils/objcopy.c:5582 # ------------------------------ # Tested on the following two objcopy versions # 1. From git://sourceware.org/git/binutils-gdb.git cloned on Jan 24, 2018 commit 0984958bd1d20245e4d42888a697b6015dc6172f Ubuntu 14.04.5 LTS, $ uname -a Linux 3.19.0-74-generic #82~14.04.1-Ubuntu SMP Fri Oct 21 15:43:47 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux # 2 GNU objcopy (GNU Binutils for Ubuntu) 2.26.1 Ubuntu 16.04.3 LTS Linux 4.4.0-101-generic #124-Ubuntu SMP Fri Nov 10 18:29:59 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux
The master branch has been updated by Alan Modra <amodra@sourceware.org>: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=eb77f6a4621795367a39cdd30957903af9dbb815 commit eb77f6a4621795367a39cdd30957903af9dbb815 Author: Alan Modra <amodra@gmail.com> Date: Sat Jan 27 08:19:33 2018 +1030 PR22741, objcopy segfault on fuzzed COFF object PR 22741 * coffgen.c (coff_pointerize_aux): Ensure auxent tagndx is in range before converting to a symbol table pointer.
Fixed