public inbox for binutils-cvs@sourceware.org
help / color / mirror / Atom feed
From: Alan Modra <amodra@sourceware.org>
To: bfd-cvs@sourceware.org
Subject: [binutils-gdb] Re: PE objdump -x
Date: Wed,  3 Aug 2022 07:31:04 +0000 (GMT)	[thread overview]
Message-ID: <20220803073104.351BE3858CDB@sourceware.org> (raw)

https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=ecfc6ddb8074aff8882155b5900958725094f508

commit ecfc6ddb8074aff8882155b5900958725094f508
Author: Alan Modra <amodra@gmail.com>
Date:   Wed Aug 3 15:06:15 2022 +0930

    Re: PE objdump -x
    
    All of these buffer overrun tests are better written as a comparison
    against size remaining, due to ISO C 9899 standard 6.5.2 para 8
    regarding adding a constant to a pointer:
    
    "If both the pointer operand and the result point to elements of the
    same array object, or one past the last element of the array object,
    the evaluation shall not produce an overflow; otherwise, the behavior
    is undefined."
    
    So "ex_dta + 4" might be undefined behaviour, if you interpret "the
    array object" in this case to be the malloc'd section contents!
    
            * pei-x86_64.c (pex64_get_unwind_info): Tidy sanity checks.
            (pex64_xdata_print_uwd_codes): Likewise.

Diff:
---
 bfd/pei-x86_64.c | 29 +++++++++++++++--------------
 1 file changed, 15 insertions(+), 14 deletions(-)

diff --git a/bfd/pei-x86_64.c b/bfd/pei-x86_64.c
index 795bf66f8b4..9d0ff81ec4b 100644
--- a/bfd/pei-x86_64.c
+++ b/bfd/pei-x86_64.c
@@ -109,7 +109,7 @@ pex64_get_unwind_info (bfd *abfd, struct pex64_unwind_info *ui,
 
   memset (ui, 0, sizeof (struct pex64_unwind_info));
 
-  if (ex_dta >= ex_dta_end || ex_dta + 4 > ex_dta_end)
+  if (ex_dta_end - ex_dta < 4)
     return false;
 
   ui->Version = PEX64_UWI_VERSION (ex_ui->Version_Flags);
@@ -123,14 +123,14 @@ pex64_get_unwind_info (bfd *abfd, struct pex64_unwind_info *ui,
   ui->rawUnwindCodes = ex_dta + 4;
   ui->rawUnwindCodesEnd = ex_dta_end;
 
-  ex_dta += ui->SizeOfBlock;
-  if (ex_dta > ex_dta_end)
+  if ((size_t) (ex_dta_end - ex_dta) < ui->SizeOfBlock)
     return false;
+  ex_dta += ui->SizeOfBlock;
 
   switch (ui->Flags)
     {
     case UNW_FLAG_CHAININFO:
-      if (ex_dta + 12 > ex_dta_end)
+      if (ex_dta_end - ex_dta < 12)
 	return false;
       ui->rva_BeginAddress = bfd_get_32 (abfd, ex_dta + 0);
       ui->rva_EndAddress = bfd_get_32 (abfd, ex_dta + 4);
@@ -140,7 +140,7 @@ pex64_get_unwind_info (bfd *abfd, struct pex64_unwind_info *ui,
     case UNW_FLAG_EHANDLER:
     case UNW_FLAG_UHANDLER:
     case UNW_FLAG_FHANDLER:
-      if (ex_dta + 4 > ex_dta_end)
+      if (ex_dta_end - ex_dta < 4)
 	return false;
       ui->rva_ExceptionHandler = bfd_get_32 (abfd, ex_dta);
       ui->SizeOfBlock += 4;
@@ -172,7 +172,8 @@ pex64_xdata_print_uwd_codes (FILE *file, bfd *abfd,
 
   i = 0;
 
-  if (ui->rawUnwindCodes + ui->CountOfCodes * 2 > ui->rawUnwindCodesEnd)
+  if ((size_t) (ui->rawUnwindCodesEnd - ui->rawUnwindCodes)
+      < ui->CountOfCodes * 2)
     {
       fprintf (file, _("warning: corrupt unwind data\n"));
       return;
@@ -226,7 +227,7 @@ pex64_xdata_print_uwd_codes (FILE *file, bfd *abfd,
 	case UWOP_ALLOC_LARGE:
 	  if (info == 0)
 	    {
-	      if (dta + 4 > ui->rawUnwindCodesEnd)
+	      if (ui->rawUnwindCodesEnd - dta < 4)
 		{
 		  fprintf (file, _("warning: corrupt unwind data\n"));
 		  return;
@@ -236,7 +237,7 @@ pex64_xdata_print_uwd_codes (FILE *file, bfd *abfd,
 	    }
 	  else
 	    {
-	      if (dta + 6 > ui->rawUnwindCodesEnd)
+	      if (ui->rawUnwindCodesEnd - dta < 6)
 		{
 		  fprintf (file, _("warning: corrupt unwind data\n"));
 		  return;
@@ -261,7 +262,7 @@ pex64_xdata_print_uwd_codes (FILE *file, bfd *abfd,
 	  break;
 
 	case UWOP_SAVE_NONVOL:
-	  if (dta + 4 > ui->rawUnwindCodesEnd)
+	  if (ui->rawUnwindCodesEnd - dta < 4)
 	    {
 	      fprintf (file, _("warning: corrupt unwind data\n"));
 	      return;
@@ -273,7 +274,7 @@ pex64_xdata_print_uwd_codes (FILE *file, bfd *abfd,
 	  break;
 
 	case UWOP_SAVE_NONVOL_FAR:
-	  if (dta + 6 > ui->rawUnwindCodesEnd)
+	  if (ui->rawUnwindCodesEnd - dta < 6)
 	    {
 	      fprintf (file, _("warning: corrupt unwind data\n"));
 	      return;
@@ -287,7 +288,7 @@ pex64_xdata_print_uwd_codes (FILE *file, bfd *abfd,
 	case UWOP_SAVE_XMM:
 	  if (ui->Version == 1)
 	    {
-	      if (dta + 4 > ui->rawUnwindCodesEnd)
+	      if (ui->rawUnwindCodesEnd - dta < 4)
 		{
 		  fprintf (file, _("warning: corrupt unwind data\n"));
 		  return;
@@ -305,7 +306,7 @@ pex64_xdata_print_uwd_codes (FILE *file, bfd *abfd,
 	  break;
 
 	case UWOP_SAVE_XMM_FAR:
-	  if (dta + 6 > ui->rawUnwindCodesEnd)
+	  if (ui->rawUnwindCodesEnd - dta < 6)
 	    {
 	      fprintf (file, _("warning: corrupt unwind data\n"));
 	      return;
@@ -317,7 +318,7 @@ pex64_xdata_print_uwd_codes (FILE *file, bfd *abfd,
 	  break;
 
 	case UWOP_SAVE_XMM128:
-	  if (dta + 4 > ui->rawUnwindCodesEnd)
+	  if (ui->rawUnwindCodesEnd - dta < 4)
 	    {
 	      fprintf (file, _("warning: corrupt unwind data\n"));
 	      return;
@@ -329,7 +330,7 @@ pex64_xdata_print_uwd_codes (FILE *file, bfd *abfd,
 	  break;
 
 	case UWOP_SAVE_XMM128_FAR:
-	  if (dta + 6 > ui->rawUnwindCodesEnd)
+	  if (ui->rawUnwindCodesEnd - dta < 6)
 	    {
 	      fprintf (file, _("warning: corrupt unwind data\n"));
 	      return;


                 reply	other threads:[~2022-08-03  7:31 UTC|newest]

Thread overview: [no followups] expand[flat|nested]  mbox.gz  Atom feed

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20220803073104.351BE3858CDB@sourceware.org \
    --to=amodra@sourceware.org \
    --cc=bfd-cvs@sourceware.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).