This is the mail archive of the
binutils@sourceware.org
mailing list for the binutils project.
PR24272, out-of-bounds read in pex64_xdata_print_uwd_codes
- From: Alan Modra <amodra at gmail dot com>
- To: binutils at sourceware dot org
- Date: Fri, 1 Mar 2019 13:28:48 +1030
- Subject: PR24272, out-of-bounds read in pex64_xdata_print_uwd_codes
The fix here is to use an unsigned comparison for
if (a->NumberOfRvaAndSizes > IMAGE_NUMBEROF_DIRECTORY_ENTRIES)
ie. changing NumberOfRvaAndSizes type from long to uint32_t. The rest
of the patch fixes similar cases where the wrong type was used.
include/
PR 24272
* coff/internal.h (struct internal_extra_pe_aouthdr): Change type
of SizeOfCode, SizeOfInitializedData, and SizeOfUninitializedData
to bfd_vma. Change type of SectionAlignment, FileAlignment,
Reserved1, SizeOfImage, SizeOfHeaders, CheckSum, LoaderFlags,
and NumberOfRvaAndSizes to uint32_t.
bfd/
PR 24272
* peXXigen.c (_bfd_XXi_swap_aouthdr_in): Use unsigned index.
(_bfd_XX_print_private_bfd_data_common): Adjust for type changes.
diff --git a/bfd/peXXigen.c b/bfd/peXXigen.c
index e6d1425472..77fb4933e7 100644
--- a/bfd/peXXigen.c
+++ b/bfd/peXXigen.c
@@ -522,15 +522,15 @@ _bfd_XXi_swap_aouthdr_in (bfd * abfd,
a->NumberOfRvaAndSizes = H_GET_32 (abfd, src->NumberOfRvaAndSizes);
{
- int idx;
+ unsigned idx;
/* PR 17512: Corrupt PE binaries can cause seg-faults. */
if (a->NumberOfRvaAndSizes > IMAGE_NUMBEROF_DIRECTORY_ENTRIES)
{
/* xgettext:c-format */
_bfd_error_handler
- (_("%pB: aout header specifies an invalid number of data-directory entries: %ld"),
- abfd, a->NumberOfRvaAndSizes);
+ (_("%pB: aout header specifies an invalid number of"
+ " data-directory entries: %u"), abfd, a->NumberOfRvaAndSizes);
bfd_set_error (bfd_error_bad_value);
/* Paranoia: If the number is corrupt, then assume that the
@@ -2806,12 +2806,13 @@ _bfd_XX_print_private_bfd_data_common (bfd * abfd, void * vfile)
fprintf (file, "\t(%s)",name);
fprintf (file, "\nMajorLinkerVersion\t%d\n", i->MajorLinkerVersion);
fprintf (file, "MinorLinkerVersion\t%d\n", i->MinorLinkerVersion);
- fprintf (file, "SizeOfCode\t\t%08lx\n", (unsigned long) i->SizeOfCode);
- fprintf (file, "SizeOfInitializedData\t%08lx\n",
- (unsigned long) i->SizeOfInitializedData);
- fprintf (file, "SizeOfUninitializedData\t%08lx\n",
- (unsigned long) i->SizeOfUninitializedData);
- fprintf (file, "AddressOfEntryPoint\t");
+ fprintf (file, "SizeOfCode\t\t");
+ bfd_fprintf_vma (abfd, file, i->SizeOfCode);
+ fprintf (file, "\nSizeOfInitializedData\t");
+ bfd_fprintf_vma (abfd, file, i->SizeOfInitializedData);
+ fprintf (file, "\nSizeOfUninitializedData\t");
+ bfd_fprintf_vma (abfd, file, i->SizeOfUninitializedData);
+ fprintf (file, "\nAddressOfEntryPoint\t");
bfd_fprintf_vma (abfd, file, i->AddressOfEntryPoint);
fprintf (file, "\nBaseOfCode\t\t");
bfd_fprintf_vma (abfd, file, i->BaseOfCode);
@@ -2823,20 +2824,18 @@ _bfd_XX_print_private_bfd_data_common (bfd * abfd, void * vfile)
fprintf (file, "\nImageBase\t\t");
bfd_fprintf_vma (abfd, file, i->ImageBase);
- fprintf (file, "\nSectionAlignment\t");
- bfd_fprintf_vma (abfd, file, i->SectionAlignment);
- fprintf (file, "\nFileAlignment\t\t");
- bfd_fprintf_vma (abfd, file, i->FileAlignment);
- fprintf (file, "\nMajorOSystemVersion\t%d\n", i->MajorOperatingSystemVersion);
+ fprintf (file, "\nSectionAlignment\t%08x\n", i->SectionAlignment);
+ fprintf (file, "FileAlignment\t\t%08x\n", i->FileAlignment);
+ fprintf (file, "MajorOSystemVersion\t%d\n", i->MajorOperatingSystemVersion);
fprintf (file, "MinorOSystemVersion\t%d\n", i->MinorOperatingSystemVersion);
fprintf (file, "MajorImageVersion\t%d\n", i->MajorImageVersion);
fprintf (file, "MinorImageVersion\t%d\n", i->MinorImageVersion);
fprintf (file, "MajorSubsystemVersion\t%d\n", i->MajorSubsystemVersion);
fprintf (file, "MinorSubsystemVersion\t%d\n", i->MinorSubsystemVersion);
- fprintf (file, "Win32Version\t\t%08lx\n", (unsigned long) i->Reserved1);
- fprintf (file, "SizeOfImage\t\t%08lx\n", (unsigned long) i->SizeOfImage);
- fprintf (file, "SizeOfHeaders\t\t%08lx\n", (unsigned long) i->SizeOfHeaders);
- fprintf (file, "CheckSum\t\t%08lx\n", (unsigned long) i->CheckSum);
+ fprintf (file, "Win32Version\t\t%08x\n", i->Reserved1);
+ fprintf (file, "SizeOfImage\t\t%08x\n", i->SizeOfImage);
+ fprintf (file, "SizeOfHeaders\t\t%08x\n", i->SizeOfHeaders);
+ fprintf (file, "CheckSum\t\t%08x\n", i->CheckSum);
switch (i->Subsystem)
{
diff --git a/include/coff/internal.h b/include/coff/internal.h
index 9b55769421..c87dc8abaf 100644
--- a/include/coff/internal.h
+++ b/include/coff/internal.h
@@ -197,11 +197,11 @@ struct internal_extra_pe_aouthdr
/* Linker minor version number. */
char MinorLinkerVersion;
/* Total size of all code sections. */
- long SizeOfCode;
+ bfd_vma SizeOfCode;
/* Total size of all initialized data sections. */
- long SizeOfInitializedData;
+ bfd_vma SizeOfInitializedData;
/* Total size of all uninitialized data sections. */
- long SizeOfUninitializedData;
+ bfd_vma SizeOfUninitializedData;
/* Address of entry point relative to image base. */
bfd_vma AddressOfEntryPoint;
/* Address of the first code section relative to image base. */
@@ -211,21 +211,21 @@ struct internal_extra_pe_aouthdr
/* PE stuff */
bfd_vma ImageBase; /* Address of specific location in memory that
- file is located, NT default 0x10000. */
-
- bfd_vma SectionAlignment; /* Section alignment default 0x1000. */
- bfd_vma FileAlignment; /* File alignment default 0x200. */
- short MajorOperatingSystemVersion; /* Minimum version of the operating. */
- short MinorOperatingSystemVersion; /* System req'd for exe, default to 1. */
- short MajorImageVersion; /* User defineable field to store version of */
- short MinorImageVersion; /* exe or dll being created, default to 0. */
- short MajorSubsystemVersion; /* Minimum subsystem version required to */
- short MinorSubsystemVersion; /* run exe; default to 3.1. */
- long Reserved1; /* Seems to be 0. */
- long SizeOfImage; /* Size of memory to allocate for prog. */
- long SizeOfHeaders; /* Size of PE header and section table. */
- long CheckSum; /* Set to 0. */
- short Subsystem;
+ file is located, NT default 0x10000. */
+
+ uint32_t SectionAlignment; /* Section alignment default 0x1000. */
+ uint32_t FileAlignment; /* File alignment default 0x200. */
+ short MajorOperatingSystemVersion; /* Minimum version of the operating. */
+ short MinorOperatingSystemVersion; /* System req'd for exe, default 1. */
+ short MajorImageVersion; /* User defineable field to store version of */
+ short MinorImageVersion; /* exe or dll being created, default to 0. */
+ short MajorSubsystemVersion; /* Minimum subsystem version required to */
+ short MinorSubsystemVersion; /* run exe; default to 3.1. */
+ uint32_t Reserved1; /* Seems to be 0. */
+ uint32_t SizeOfImage; /* Size of memory to allocate for prog. */
+ uint32_t SizeOfHeaders; /* Size of PE header and section table. */
+ uint32_t CheckSum; /* Set to 0. */
+ short Subsystem;
/* Type of subsystem exe uses for user interface,
possible values:
@@ -237,11 +237,11 @@ struct internal_extra_pe_aouthdr
unsigned short DllCharacteristics; /* flags for DLL init. */
bfd_vma SizeOfStackReserve; /* Amount of memory to reserve. */
bfd_vma SizeOfStackCommit; /* Amount of memory initially committed for
- initial thread's stack, default is 0x1000. */
+ initial thread's stack, default 0x1000. */
bfd_vma SizeOfHeapReserve; /* Amount of virtual memory to reserve and */
bfd_vma SizeOfHeapCommit; /* commit, don't know what to defaut it to. */
- long LoaderFlags; /* Can probably set to 0. */
- long NumberOfRvaAndSizes; /* Number of entries in next entry, 16. */
+ uint32_t LoaderFlags; /* Can probably set to 0. */
+ uint32_t NumberOfRvaAndSizes; /* Number of entries in next entry, 16. */
IMAGE_DATA_DIRECTORY DataDirectory[IMAGE_NUMBEROF_DIRECTORY_ENTRIES];
};
--
Alan Modra
Australia Development Lab, IBM