Created attachment 12139 [details] The crash PoC Hello, There is a null pointer dereference in bfd/pef.c:bfd_pef_parse_symbols(). ## Analysis Look at the following code in bfd/pef.c:bfd_pef_parse_symbols(): ----------Code------------ if (codesec != NULL) { codelen = codesec->size; codebuf = bfd_malloc (codelen); if (bfd_seek (abfd, codesec->filepos, SEEK_SET) < 0) goto end; if (bfd_bread ((void *) codebuf, codelen, abfd) != codelen) goto end; } --------------------------- In the code above, codebuf is allocated without checking if the return pointer is null, which makes the writing to codebuf by bfd_bread invalid. ## Reproduce The attachment makes objdump crashes provided objdump is built in 32-bit. ----------Log-------------- root@manh-ubuntu16:~/fuzz/fuzz_binutils# binutils-gdb-gcc-32/binutils/objdump -x crash-objdump crash-objdump: file format pef crash-objdump architecture: powerpc:common64, flags 0x000001ff: HAS_RELOC, EXEC_P, HAS_LINENO, HAS_DEBUG, HAS_SYMS, HAS_LOCALS, DYNAMIC, WP_TEXT, D_PAGED start address 0x0000000000000630 Segmentation fault (core dumped) --------------------------- Tested with version 39aa149769fd05fb6fade43bd41c1d7b6d63d06b of github.com/bminor/binutils-gdb -- Thanks & Regards, Nguyen Duc Manh VinCSS (a member of Vingroup) [M] (+84) 346136886 [E] v.manhnd@vincss.net [W] www.vincss.net
Hi Nguyễn, This bug has already been fixed by the patch applied for PR 25308. Cheers Nick