From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (qmail 2785 invoked by alias); 7 Apr 2011 01:09:56 -0000 Received: (qmail 2776 invoked by uid 22791); 7 Apr 2011 01:09:55 -0000 X-SWARE-Spam-Status: No, hits=-2.4 required=5.0 tests=AWL,BAYES_00,DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,FREEMAIL_FROM,RCVD_IN_DNSWL_LOW X-Spam-Check-By: sourceware.org Received: from mail-iy0-f169.google.com (HELO mail-iy0-f169.google.com) (209.85.210.169) by sourceware.org (qpsmtpd/0.43rc1) with ESMTP; Thu, 07 Apr 2011 01:09:50 +0000 Received: by iyf13 with SMTP id 13so2639466iyf.0 for ; Wed, 06 Apr 2011 18:09:50 -0700 (PDT) Received: by 10.42.158.194 with SMTP id i2mr474979icx.8.1302138590318; Wed, 06 Apr 2011 18:09:50 -0700 (PDT) Received: from bubble.grove.modra.org ([115.187.252.19]) by mx.google.com with ESMTPS id 13sm763484ibo.25.2011.04.06.18.09.47 (version=TLSv1/SSLv3 cipher=OTHER); Wed, 06 Apr 2011 18:09:49 -0700 (PDT) Received: by bubble.grove.modra.org (Postfix, from userid 1000) id 5FEBD170C1A4; Thu, 7 Apr 2011 10:39:43 +0930 (CST) Date: Thu, 07 Apr 2011 01:09:00 -0000 From: Alan Modra To: Kai Tietz Cc: Binutils , Nick Clifton Subject: Re: [patch bfd]: Prevent possible buffer overflow on pdata-section sorting Message-ID: <20110407010943.GW19002@bubble.grove.modra.org> Mail-Followup-To: Kai Tietz , Binutils , Nick Clifton References: MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.5.20 (2009-06-14) X-IsSubscribed: yes Mailing-List: contact binutils-help@sourceware.org; run by ezmlm Precedence: bulk List-Id: List-Subscribe: List-Archive: List-Post: List-Help: , Sender: binutils-owner@sourceware.org X-SW-Source: 2011-04/txt/msg00074.txt.bz2 On Wed, Apr 06, 2011 at 06:50:15PM +0200, Kai Tietz wrote: > Hello, > > this issue was reported by H. Becker to me. He found that the code in > peXXigen.c about pdata-section sorting might cause a buffer-overrun > for large pdata-data. By working in private allocated buffer - > instead of using the pfinfo->contents - avoids this. > > ChangeLog > > 2011-04-06 Kai Tietz > > * peXXigen.c (_bfd_XXi_final_link_postscripte): Sort pdata in temporary > buffer. > > Tested for x86_64-w64-mingw32. Ok for apply? > > Regards, > Kai > Index: src/bfd/peXXigen.c > =================================================================== > --- src.orig/bfd/peXXigen.c 2010-12-21 19:33:07.000000000 +0100 > +++ src/bfd/peXXigen.c 2011-04-06 18:19:45.945394800 +0200 > @@ -2459,14 +2459,22 @@ _bfd_XXi_final_link_postscript (bfd * ab > if (sec) > { > bfd_size_type x = sec->rawsize ? sec->rawsize : sec->size; Since this is an output section, this should just be sec->size I think. See section.c rawsize comment. > + bfd_byte *tmp_data = NULL; > > - if (x && bfd_get_section_contents (abfd, sec, pfinfo->contents, 0, x)) > + if (x) > + tmp_data = bfd_malloc (x); > + > + if (tmp_data != NULL) > { > - qsort (pfinfo->contents, > - (size_t) ((sec->size size : x) / 12), > - 12, sort_x64_pdata); > - bfd_set_section_contents (pfinfo->output_bfd, sec, > - pfinfo->contents, 0, x); > + if (bfd_get_section_contents (abfd, sec, tmp_data, 0, x)) > + { > + qsort (tmp_data, > + (size_t) ((sec->size size : x) / 12), Likewise here. OK with those changes. > + 12, sort_x64_pdata); > + bfd_set_section_contents (pfinfo->output_bfd, sec, > + tmp_data, 0, x); > + } > + free (tmp_data); > } > } > } -- Alan Modra Australia Development Lab, IBM