forked from Imagelibrary/binutils-gdb
Fixes for memory access violations exposed by fuzzinf various binaries.
PR binutils/17512 * dwarf.c (get_encoded_value): Check for an encoded size of 0. (display_debug_lines_raw): Check for an invalid line range value. (display_debug_frames): Check for corrupt augmentation data. * coffgen.c (coff_get_normalized_symtab): Check for an excessive number of auxillary entries. * ieee.c (next_byte): Convert to a function. Return FALSE if the next byte is beyond the end of the buffer. (parse_int): Test the return value of next_byte. (parse_expression): Convert to boolean. Return FALSE if the parsing failed. Test the return value of next_byte. (ieee_seek): Convert to a function. Return FALSE if the seek goes beyond the end of the buffer. (ieee_slurp_external_symbols): Test the return value of ieee_seek and next_byte. (ieee_slurp_sections): Convert to boolean. Return FALSE if the operation failed. Test the return value of ieee_seek and next_byte. (ieee_archive_p): Test the return value of ieee_seek and next_byte. (do_one): Likewise. (ieee_slurp_section_data): Likewise. (ieee_object_p): Likewise. Store the size of the buffer in the total_amt field in the header. * libieee.h (common_header_type): Add amt field. * mach-o.c (bfd_mach_o_canonicalize_one_reloc): Check that the reloc's value is within range. (bfd_mach_o_read_symtab_symbols): Nullify the symbols field if the operation fails. * pei-x86_64.c (pex64_xdata_print_uwd_codes): Replace abort with an error message. (pex64_dump_xdata): Check for buffer overflows. * versados.c (process_otr): Check that the section exists before taking its size. (versados_object_p): Make sure that enough data was read for the header to be checked. * vms-alpha.c (vms_get_remaining_object_record): Change read_so_far parameter to an unsigned int. Check that the amount read is in range.
This commit is contained in:
Nick Clifton
@@ -1,3 +1,10 @@
|
||||
2014-11-21 Nick Clifton <nickc@redhat.com>
|
||||
|
||||
PR binutils/17512
|
||||
* dwarf.c (get_encoded_value): Check for an encoded size of 0.
|
||||
(display_debug_lines_raw): Check for an invalid line range value.
|
||||
(display_debug_frames): Check for corrupt augmentation data.
|
||||
|
||||
2014-11-21 Nick Clifton <nickc@redhat.com>
|
||||
|
||||
PR binutils/17531
|
||||
|
||||
@@ -142,6 +142,14 @@ get_encoded_value (unsigned char **pdata,
|
||||
return 0;
|
||||
}
|
||||
|
||||
/* PR 17512: file: 1085-5603-0.004. */
|
||||
if (size == 0)
|
||||
{
|
||||
warn (_("Encoded size of 0 is too small to read\n"));
|
||||
* pdata = end;
|
||||
return 0;
|
||||
}
|
||||
|
||||
if (encoding & DW_EH_PE_signed)
|
||||
val = byte_get_signed (data, size);
|
||||
else
|
||||
@@ -2786,6 +2794,13 @@ display_debug_lines_raw (struct dwarf_section *section,
|
||||
printf (_(" Line Range: %d\n"), linfo.li_line_range);
|
||||
printf (_(" Opcode Base: %d\n"), linfo.li_opcode_base);
|
||||
|
||||
/* PR 17512: file: 1665-6428-0.004. */
|
||||
if (linfo.li_line_range == 0)
|
||||
{
|
||||
warn (_("Line range of 0 is invalid, using 1 instead\n"));
|
||||
linfo.li_line_range = 1;
|
||||
}
|
||||
|
||||
reset_state_machine (linfo.li_default_is_stmt);
|
||||
|
||||
/* Display the contents of the Opcodes table. */
|
||||
@@ -5697,6 +5712,15 @@ display_debug_frames (struct dwarf_section *section,
|
||||
augmentation_data_len = LEB ();
|
||||
augmentation_data = start;
|
||||
start += augmentation_data_len;
|
||||
/* PR 17512: file: 722-8446-0.004. */
|
||||
if (start >= end)
|
||||
{
|
||||
warn (_("Corrupt augmentation data length: %lx\n"),
|
||||
augmentation_data_len);
|
||||
start = end;
|
||||
augmentation_data = NULL;
|
||||
augmentation_data_len = 0;
|
||||
}
|
||||
}
|
||||
|
||||
printf ("\n%08lx %s %s FDE cie=%08lx pc=",
|
||||
|
||||
Reference in New Issue
Block a user