off by one in bfd/syms.c or bfd/elfcode.h?

Gregory Steuck greg@nest.cx
Mon Mar 25 20:15:00 GMT 2002


Could somebody tell me which one of these 2 is to blame:

syms.c:
long
_bfd_generic_read_minisymbols (abfd, dynamic, minisymsp, sizep)
{
...
  syms = (asymbol **) bfd_malloc ((size_t) storage);      // Greg: storage = 0
  if (syms == NULL)
    goto error_return;

  if (dynamic)
    symcount = bfd_canonicalize_dynamic_symtab (abfd, syms);
...
}

elfcode.h:
long
elf_slurp_symbol_table (abfd, symptrs, dynamic) {
...
  /* Fill in the user's symbol pointer vector if needed.  */
  if (symptrs)
    {
      long l = symcount;

      sym = symbase;
      while (l-- > 0)
	{
	  *symptrs++ = &sym->symbol;
	  sym++;
	}
      *symptrs = 0;		/* Final null pointer */  // Greg: it
                                                          // wan't allocated!
    }
...
}

So elfcode writes into a chunk of memory even though it was allocated
with size=0?

This causes a segv on openbsd-sparc64. Changing
_bfd_generic_read_minisymbols to allocate sizeof (asymbol *) more
fixes the problem, but I am not sure if the fix is the correct one.

Comments?



More information about the Binutils mailing list