* PR27879, stack-buffer-overflow on sysdump
@ 2021-05-19 1:55 Alan Modra
0 siblings, 0 replies; only message in thread
From: Alan Modra @ 2021-05-19 1:55 UTC (permalink / raw)
To: binutils
PR 27879
* sysdump.c (getBARRAY): Sanity check size against max.
(getINT): Avoid UB shift left.
diff --git a/binutils/sysdump.c b/binutils/sysdump.c
index 8993152bdd6..35796e829a0 100644
--- a/binutils/sysdump.c
+++ b/binutils/sysdump.c
@@ -131,19 +131,21 @@ fillup (unsigned char *ptr)
}
static barray
-getBARRAY (unsigned char *ptr, int *idx, int dsize ATTRIBUTE_UNUSED,
- int max ATTRIBUTE_UNUSED)
+getBARRAY (unsigned char *ptr, int *idx, int dsize ATTRIBUTE_UNUSED, int max)
{
barray res;
int i;
int byte = *idx / 8;
- int size = ptr[byte++];
+ int size = 0;
+
+ if (byte < max)
+ size = ptr[byte++];
res.len = size;
res.data = (unsigned char *) xmalloc (size);
for (i = 0; i < size; i++)
- res.data[i] = ptr[byte++];
+ res.data[i] = byte < max ? ptr[byte++] : 0;
return res;
}
@@ -179,7 +181,8 @@ getINT (unsigned char *ptr, int *idx, int size, int max)
n = (ptr[byte + 0] << 8) + ptr[byte + 1];
break;
case 4:
- n = (ptr[byte + 0] << 24) + (ptr[byte + 1] << 16) + (ptr[byte + 2] << 8) + (ptr[byte + 3]);
+ n = (((unsigned) ptr[byte + 0] << 24) + (ptr[byte + 1] << 16)
+ + (ptr[byte + 2] << 8) + (ptr[byte + 3]));
break;
default:
fatal (_("Unsupported read size: %d"), size);
--
Alan Modra
Australia Development Lab, IBM
^ permalink raw reply [flat|nested] only message in thread
only message in thread, other threads:[~2021-05-19 1:55 UTC | newest]
Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-05-19 1:55 PR27879, stack-buffer-overflow on sysdump Alan Modra
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).