Toolchain/binutils-gdb
1
0
Fork 0
forked from Imagelibrary/binutils-gdb
Code Pull Requests Activity

PR24236, Heap buffer overflow in _bfd_archive_64_bit_slurp_armap

Browse Source 
PR 24236
	* archive64.c (_bfd_archive_64_bit_slurp_armap): Move code adding
	sentinel NUL to string buffer nearer to loop where it is used.
	Don't go past sentinel when scanning strings, and don't write
	NUL again.
	* archive.c (do_slurp_coff_armap): Simplify string handling to
	archive64.c style.
This commit is contained in:
Alan Modra
2019-02-20 08:21:24 +10:30
parent 7ae39e2d40
commit 8abac8031e
3 changed files with 22 additions and 15 deletions
Download Patch File Download Diff File Expand all files Collapse all files

17
bfd/archive.c
View File

@@ -1012,6 +1012,7 @@ do_slurp_coff_armap (bfd *abfd)
int *raw_armap, *rawptr;
struct artdata *ardata = bfd_ardata (abfd);
char *stringbase;
char *stringend;
bfd_size_type stringsize;
bfd_size_type parsed_size;
carsym *carsyms;
@@ -1071,22 +1072,18 @@ do_slurp_coff_armap (bfd *abfd)
}
/* OK, build the carsyms. */
for (i = 0; i < nsymz && stringsize > 0; i++)
stringend = stringbase + stringsize;
*stringend = 0;
for (i = 0; i < nsymz; i++)
{
bfd_size_type len;
rawptr = raw_armap + i;
carsyms->file_offset = swap ((bfd_byte *) rawptr);
carsyms->name = stringbase;
/* PR 17512: file: 4a1d50c1. */
len = strnlen (stringbase, stringsize);
if (len < stringsize)
len ++;
stringbase += len;
stringsize -= len;
stringbase += strlen (stringbase);
if (stringbase != stringend)
++stringbase;
carsyms++;
}
*stringbase = 0;
ardata->symdef_count = nsymz;
ardata->first_file_filepos = bfd_tell (abfd);