This is the mail archive of the binutils@sourceware.org mailing list for the binutils project.

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]
Other format:	[Raw text]

[patch] RELOC_AGAINST_DISCARDED_SECTION crash on +1 overrun

From: Jan Kratochvil <jan dot kratochvil at redhat dot com>
To: binutils at sourceware dot org
Cc: Andreas Schwab <aschwab at redhat dot com>, Jakub Jelinek <jakub at redhat dot com>
Date: Wed, 20 Apr 2011 00:17:53 +0200
Subject: [patch] RELOC_AGAINST_DISCARDED_SECTION crash on +1 overrun

Hi,

from a reported core file created this patch.  memmove was trying to read
memory after a page boundary.  (I do not have the fix verified.)

No regressions on {x86_64,i686}-fedora15-linux-gnu.


Thanks,
Jan


bfd/
2011-04-19  Jan Kratochvil  <jan.kratochvil@redhat.com>

	* elf-bfd.h (RELOC_AGAINST_DISCARDED_SECTION): Fix +1 overrun of
	memmove elements.

--- a/bfd/elf-bfd.h
+++ b/bfd/elf-bfd.h
@@ -2405,7 +2405,7 @@ extern asection _bfd_elf_large_com_section;
 	    rel_hdr = _bfd_elf_single_rel_hdr (input_section);		\
 	    rel_hdr->sh_size -= rel_hdr->sh_entsize;			\
 									\
-	    memmove (rel, rel + 1, (relend - rel) * sizeof (*rel));	\
+	    memmove (rel, rel + 1, (relend - rel - 1) * sizeof (*rel));	\
 									\
 	    input_section->reloc_count--;				\
 	    relend--;							\

Follow-Ups:
- Re: [patch] RELOC_AGAINST_DISCARDED_SECTION crash on +1 overrun
  - From: Alan Modra

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]