asan: readelf: heap buffer overflow in slurp_hppa_unwind_table
Alan Modra
amodra@gmail.com
Thu Jul 9 06:43:22 GMT 2020
This one isn't just a weird corner case requiring multiple
.PARISC.unwind sections in an object file to trigger the buffer
overflow, it's also a simple bug that would prevent relocations being
applied in the normal case of a single .PARISC.unwind section.
* readelf (slurp_hppa_unwind_table): Set table_len before use
in relocation sanity checks.
diff --git a/binutils/readelf.c b/binutils/readelf.c
index 41547a2594..0feeed9831 100644
--- a/binutils/readelf.c
+++ b/binutils/readelf.c
@@ -8253,6 +8253,7 @@ slurp_hppa_unwind_table (Filedata * filedata,
nentries = size / unw_ent_size;
size = unw_ent_size * nentries;
+ aux->table_len = nentries;
tep = aux->table = (struct hppa_unw_table_entry *)
xcmalloc (nentries, sizeof (aux->table[0]));
@@ -8372,8 +8373,6 @@ slurp_hppa_unwind_table (Filedata * filedata,
free (rela);
}
- aux->table_len = nentries;
-
return TRUE;
}
--
Alan Modra
Australia Development Lab, IBM
More information about the Binutils
mailing list