From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: by sourceware.org (Postfix, from userid 1062) id 351BE3858CDB; Wed, 3 Aug 2022 07:31:04 +0000 (GMT) DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org 351BE3858CDB Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable From: Alan Modra To: bfd-cvs@sourceware.org Subject: [binutils-gdb] Re: PE objdump -x X-Act-Checkin: binutils-gdb X-Git-Author: Alan Modra X-Git-Refname: refs/heads/master X-Git-Oldrev: 5844ccaac7d7e628b8c3feea725d87fd4bafbdf6 X-Git-Newrev: ecfc6ddb8074aff8882155b5900958725094f508 Message-Id: <20220803073104.351BE3858CDB@sourceware.org> Date: Wed, 3 Aug 2022 07:31:04 +0000 (GMT) X-BeenThere: binutils-cvs@sourceware.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Binutils-cvs mailing list List-Unsubscribe: , List-Archive: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 03 Aug 2022 07:31:04 -0000 https://sourceware.org/git/gitweb.cgi?p=3Dbinutils-gdb.git;h=3Decfc6ddb8074= aff8882155b5900958725094f508 commit ecfc6ddb8074aff8882155b5900958725094f508 Author: Alan Modra Date: Wed Aug 3 15:06:15 2022 +0930 Re: PE objdump -x =20 All of these buffer overrun tests are better written as a comparison against size remaining, due to ISO C 9899 standard 6.5.2 para 8 regarding adding a constant to a pointer: =20 "If both the pointer operand and the result point to elements of the same array object, or one past the last element of the array object, the evaluation shall not produce an overflow; otherwise, the behavior is undefined." =20 So "ex_dta + 4" might be undefined behaviour, if you interpret "the array object" in this case to be the malloc'd section contents! =20 * pei-x86_64.c (pex64_get_unwind_info): Tidy sanity checks. (pex64_xdata_print_uwd_codes): Likewise. Diff: --- bfd/pei-x86_64.c | 29 +++++++++++++++-------------- 1 file changed, 15 insertions(+), 14 deletions(-) diff --git a/bfd/pei-x86_64.c b/bfd/pei-x86_64.c index 795bf66f8b4..9d0ff81ec4b 100644 --- a/bfd/pei-x86_64.c +++ b/bfd/pei-x86_64.c @@ -109,7 +109,7 @@ pex64_get_unwind_info (bfd *abfd, struct pex64_unwind_i= nfo *ui, =20 memset (ui, 0, sizeof (struct pex64_unwind_info)); =20 - if (ex_dta >=3D ex_dta_end || ex_dta + 4 > ex_dta_end) + if (ex_dta_end - ex_dta < 4) return false; =20 ui->Version =3D PEX64_UWI_VERSION (ex_ui->Version_Flags); @@ -123,14 +123,14 @@ pex64_get_unwind_info (bfd *abfd, struct pex64_unwind= _info *ui, ui->rawUnwindCodes =3D ex_dta + 4; ui->rawUnwindCodesEnd =3D ex_dta_end; =20 - ex_dta +=3D ui->SizeOfBlock; - if (ex_dta > ex_dta_end) + if ((size_t) (ex_dta_end - ex_dta) < ui->SizeOfBlock) return false; + ex_dta +=3D ui->SizeOfBlock; =20 switch (ui->Flags) { case UNW_FLAG_CHAININFO: - if (ex_dta + 12 > ex_dta_end) + if (ex_dta_end - ex_dta < 12) return false; ui->rva_BeginAddress =3D bfd_get_32 (abfd, ex_dta + 0); ui->rva_EndAddress =3D bfd_get_32 (abfd, ex_dta + 4); @@ -140,7 +140,7 @@ pex64_get_unwind_info (bfd *abfd, struct pex64_unwind_i= nfo *ui, case UNW_FLAG_EHANDLER: case UNW_FLAG_UHANDLER: case UNW_FLAG_FHANDLER: - if (ex_dta + 4 > ex_dta_end) + if (ex_dta_end - ex_dta < 4) return false; ui->rva_ExceptionHandler =3D bfd_get_32 (abfd, ex_dta); ui->SizeOfBlock +=3D 4; @@ -172,7 +172,8 @@ pex64_xdata_print_uwd_codes (FILE *file, bfd *abfd, =20 i =3D 0; =20 - if (ui->rawUnwindCodes + ui->CountOfCodes * 2 > ui->rawUnwindCodesEnd) + if ((size_t) (ui->rawUnwindCodesEnd - ui->rawUnwindCodes) + < ui->CountOfCodes * 2) { fprintf (file, _("warning: corrupt unwind data\n")); return; @@ -226,7 +227,7 @@ pex64_xdata_print_uwd_codes (FILE *file, bfd *abfd, case UWOP_ALLOC_LARGE: if (info =3D=3D 0) { - if (dta + 4 > ui->rawUnwindCodesEnd) + if (ui->rawUnwindCodesEnd - dta < 4) { fprintf (file, _("warning: corrupt unwind data\n")); return; @@ -236,7 +237,7 @@ pex64_xdata_print_uwd_codes (FILE *file, bfd *abfd, } else { - if (dta + 6 > ui->rawUnwindCodesEnd) + if (ui->rawUnwindCodesEnd - dta < 6) { fprintf (file, _("warning: corrupt unwind data\n")); return; @@ -261,7 +262,7 @@ pex64_xdata_print_uwd_codes (FILE *file, bfd *abfd, break; =20 case UWOP_SAVE_NONVOL: - if (dta + 4 > ui->rawUnwindCodesEnd) + if (ui->rawUnwindCodesEnd - dta < 4) { fprintf (file, _("warning: corrupt unwind data\n")); return; @@ -273,7 +274,7 @@ pex64_xdata_print_uwd_codes (FILE *file, bfd *abfd, break; =20 case UWOP_SAVE_NONVOL_FAR: - if (dta + 6 > ui->rawUnwindCodesEnd) + if (ui->rawUnwindCodesEnd - dta < 6) { fprintf (file, _("warning: corrupt unwind data\n")); return; @@ -287,7 +288,7 @@ pex64_xdata_print_uwd_codes (FILE *file, bfd *abfd, case UWOP_SAVE_XMM: if (ui->Version =3D=3D 1) { - if (dta + 4 > ui->rawUnwindCodesEnd) + if (ui->rawUnwindCodesEnd - dta < 4) { fprintf (file, _("warning: corrupt unwind data\n")); return; @@ -305,7 +306,7 @@ pex64_xdata_print_uwd_codes (FILE *file, bfd *abfd, break; =20 case UWOP_SAVE_XMM_FAR: - if (dta + 6 > ui->rawUnwindCodesEnd) + if (ui->rawUnwindCodesEnd - dta < 6) { fprintf (file, _("warning: corrupt unwind data\n")); return; @@ -317,7 +318,7 @@ pex64_xdata_print_uwd_codes (FILE *file, bfd *abfd, break; =20 case UWOP_SAVE_XMM128: - if (dta + 4 > ui->rawUnwindCodesEnd) + if (ui->rawUnwindCodesEnd - dta < 4) { fprintf (file, _("warning: corrupt unwind data\n")); return; @@ -329,7 +330,7 @@ pex64_xdata_print_uwd_codes (FILE *file, bfd *abfd, break; =20 case UWOP_SAVE_XMM128_FAR: - if (dta + 6 > ui->rawUnwindCodesEnd) + if (ui->rawUnwindCodesEnd - dta < 6) { fprintf (file, _("warning: corrupt unwind data\n")); return;