objcopy buffer overflow
Alan Modra
amodra@gmail.com
Mon Nov 1 12:04:34 GMT 2021
"tocopy" in this code was an int, which when the size to be copied was
larger than MAXINT could result in tocopy being negative. A negative
value of course is less than BUFSIZE, but when converted to
bfd_size_type is extremely large. This problem doesn't need a 2G size
element in an archive, just an element that is claimed to be that big
on some target that doesn't sanity check the size. See next patch.
PR 995
* objcopy.c (copy_unknown_object): Correct calculation of "tocopy".
Use better variable types.
diff --git a/binutils/objcopy.c b/binutils/objcopy.c
index 0e7400fe4cb..e0d52d114fe 100644
--- a/binutils/objcopy.c
+++ b/binutils/objcopy.c
@@ -1894,9 +1894,8 @@ static bool
copy_unknown_object (bfd *ibfd, bfd *obfd)
{
char *cbuf;
- int tocopy;
- long ncopied;
- long size;
+ bfd_size_type tocopy;
+ off_t size;
struct stat buf;
if (bfd_stat_arch_elt (ibfd, &buf) != 0)
@@ -1924,30 +1923,28 @@ copy_unknown_object (bfd *ibfd, bfd *obfd)
bfd_get_archive_filename (ibfd), bfd_get_filename (obfd));
cbuf = (char *) xmalloc (BUFSIZE);
- ncopied = 0;
- while (ncopied < size)
+ while (size != 0)
{
- tocopy = size - ncopied;
- if (tocopy > BUFSIZE)
+ if (size > BUFSIZE)
tocopy = BUFSIZE;
+ else
+ tocopy = size;
- if (bfd_bread (cbuf, (bfd_size_type) tocopy, ibfd)
- != (bfd_size_type) tocopy)
+ if (bfd_bread (cbuf, tocopy, ibfd) != tocopy)
{
bfd_nonfatal_message (NULL, ibfd, NULL, NULL);
free (cbuf);
return false;
}
- if (bfd_bwrite (cbuf, (bfd_size_type) tocopy, obfd)
- != (bfd_size_type) tocopy)
+ if (bfd_bwrite (cbuf, tocopy, obfd) != tocopy)
{
bfd_nonfatal_message (NULL, obfd, NULL, NULL);
free (cbuf);
return false;
}
- ncopied += tocopy;
+ size -= tocopy;
}
/* We should at least to be able to read it back when copying an
--
Alan Modra
Australia Development Lab, IBM
More information about the Binutils
mailing list