* [binutils-gdb] Add ECOFF Symbolic Header sanity checks
@ 2023-02-03 5:41 Alan Modra
0 siblings, 0 replies; only message in thread
From: Alan Modra @ 2023-02-03 5:41 UTC (permalink / raw)
To: bfd-cvs
https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=96e034530e092e8b746e00d13086c1138a84504b
commit 96e034530e092e8b746e00d13086c1138a84504b
Author: Alan Modra <amodra@gmail.com>
Date: Thu Feb 2 22:39:31 2023 +1030
Add ECOFF Symbolic Header sanity checks
Anti-fuzzer measures. The checks don't ensure the various elements in
the header are distinct, but that isn't important as far as making
sure we don't overrun the buffer containing all the elements. Also,
we now don't care about offsets where the corresponding count is zero.
* ecoff.c (_bfd_ecoff_slurp_symbolic_info): Sanity check offsets
in debug->symbolic_header.
Diff:
---
bfd/ecoff.c | 21 +++++++++++++++++----
1 file changed, 17 insertions(+), 4 deletions(-)
diff --git a/bfd/ecoff.c b/bfd/ecoff.c
index 717d2fa2c75..48f33df630e 100644
--- a/bfd/ecoff.c
+++ b/bfd/ecoff.c
@@ -527,12 +527,24 @@ _bfd_ecoff_slurp_symbolic_info (bfd *abfd,
documented section. And the ordering of the sections varies between
statically and dynamically linked executables.
If bfd supports SEEK_END someday, this code could be simplified. */
- raw_end = 0;
+ raw_end = raw_base;
#define UPDATE_RAW_END(start, count, size) \
- cb_end = internal_symhdr->start + internal_symhdr->count * (size); \
- if (cb_end > raw_end) \
- raw_end = cb_end
+ do \
+ if (internal_symhdr->count != 0) \
+ { \
+ if (internal_symhdr->start < raw_base) \
+ goto err; \
+ if (_bfd_mul_overflow ((unsigned long) internal_symhdr->count, \
+ (size), &amt)) \
+ goto err; \
+ cb_end = internal_symhdr->start + amt; \
+ if (cb_end < internal_symhdr->start) \
+ goto err; \
+ if (cb_end > raw_end) \
+ raw_end = cb_end; \
+ } \
+ while (0)
UPDATE_RAW_END (cbLineOffset, cbLine, sizeof (unsigned char));
UPDATE_RAW_END (cbDnOffset, idnMax, backend->debug_swap.external_dnr_size);
@@ -599,6 +611,7 @@ _bfd_ecoff_slurp_symbolic_info (bfd *abfd,
if (_bfd_mul_overflow ((unsigned long) internal_symhdr->ifdMax,
sizeof (struct fdr), &amt))
{
+ err:
bfd_set_error (bfd_error_file_too_big);
return false;
}
^ permalink raw reply [flat|nested] only message in thread
only message in thread, other threads:[~2023-02-03 5:41 UTC | newest]
Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2023-02-03 5:41 [binutils-gdb] Add ECOFF Symbolic Header sanity checks Alan Modra
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).