From 0798ef5b14cb399185c0a2816e45c68f0696957e Mon Sep 17 00:00:00 2001 From: Pavel Mayorov Date: Tue, 14 Dec 2021 15:46:09 +0000 Subject: [PATCH] binutils: fix out-of-bounds write in stab_xcoff_builtin_type (bz 28694) I found an out-of-bounds write to the array 'info->xcoff_types' in the function 'stab_xcoff_builtin_type' (binutils/stabs.c). Processing of typenum -34 results in overwriting of adjacent field 'info->tags' at line 3668: info->xcoff_types[-typenum] = rettype; This eventually leads to a segmentation fault due to illegal memory reference performed by the function 'finish_stab'. ASAN catches this as heap-buffer-overflow. To solve this problem, it is enough to correct the index by which the array is accessed: decrease it by 1 --- binutils/stabs.c | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/binutils/stabs.c b/binutils/stabs.c index 274bfb0e7fa..45ccbba4600 100644 --- a/binutils/stabs.c +++ b/binutils/stabs.c @@ -3500,14 +3500,16 @@ stab_xcoff_builtin_type (void *dhandle, struct stab_handle *info, { debug_type rettype; const char *name; + int index; if (typenum >= 0 || typenum < -XCOFF_TYPE_COUNT) { fprintf (stderr, _("Unrecognized XCOFF type %d\n"), typenum); return DEBUG_TYPE_NULL; } - if (info->xcoff_types[-typenum] != NULL) - return info->xcoff_types[-typenum]; + index = -typenum - 1; + if (info->xcoff_types[index] != NULL) + return info->xcoff_types[index]; switch (-typenum) { @@ -3665,7 +3667,7 @@ stab_xcoff_builtin_type (void *dhandle, struct stab_handle *info, rettype = debug_name_type (dhandle, name, rettype); - info->xcoff_types[-typenum] = rettype; + info->xcoff_types[index] = rettype; return rettype; } -- 2.17.1