From: Alan Modra <amodra@gmail.com>
To: binutils@sourceware.org
Subject: Wild pointer reads in _bfd_ecoff_locate_line
Date: Fri, 17 Feb 2023 13:08:50 +1030 [thread overview]
Message-ID: <Y+7ouisD+WH2nZn5@squeak.grove.modra.org> (raw)
* ecofflink.c (mk_fdrtab): Sanity check fdr procedure descriptor
pointer and isymBase. Set fdrtab_len after possible discards.
Use size_t vars and catch possible size overflows.
diff --git a/bfd/ecofflink.c b/bfd/ecofflink.c
index 3521dc8c4d6..e902bd51d53 100644
--- a/bfd/ecofflink.c
+++ b/bfd/ecofflink.c
@@ -1730,8 +1730,8 @@ mk_fdrtab (bfd *abfd,
FDR *fdr_start;
FDR *fdr_end;
bool stabs;
- long len;
- bfd_size_type amt;
+ size_t len;
+ size_t amt;
fdr_start = debug_info->fdr;
fdr_end = fdr_start + debug_info->symbolic_header.ifdMax;
@@ -1739,17 +1739,26 @@ mk_fdrtab (bfd *abfd,
/* First, let's see how long the table needs to be. */
for (len = 0, fdr_ptr = fdr_start; fdr_ptr < fdr_end; fdr_ptr++)
{
- if (fdr_ptr->cpd == 0) /* Skip FDRs that have no PDRs. */
+ /* Sanity check fdr procedure descriptor pointer. */
+ long ipdMax = debug_info->symbolic_header.ipdMax;
+ if (fdr_ptr->ipdFirst >= ipdMax
+ || fdr_ptr->cpd > ipdMax - fdr_ptr->ipdFirst)
+ fdr_ptr->cpd = 0;
+ /* Skip FDRs that have no PDRs. */
+ if (fdr_ptr->cpd == 0)
continue;
++len;
}
/* Now, create and fill in the table. */
- amt = (bfd_size_type) len * sizeof (struct ecoff_fdrtab_entry);
+ if (_bfd_mul_overflow (len, sizeof (struct ecoff_fdrtab_entry), &amt))
+ {
+ bfd_set_error (bfd_error_file_too_big);
+ return false;
+ }
line_info->fdrtab = (struct ecoff_fdrtab_entry*) bfd_zalloc (abfd, amt);
if (line_info->fdrtab == NULL)
return false;
- line_info->fdrtab_len = len;
tab = line_info->fdrtab;
for (fdr_ptr = fdr_start; fdr_ptr < fdr_end; fdr_ptr++)
@@ -1766,6 +1775,10 @@ mk_fdrtab (bfd *abfd,
char *sym_ptr;
SYMR sym;
+ if ((long) ((unsigned long) fdr_ptr->isymBase + 1) <= 0
+ || fdr_ptr->isymBase + 1 >= debug_info->symbolic_header.isymMax)
+ continue;
+
sym_ptr = ((char *) debug_info->external_sym
+ (fdr_ptr->isymBase + 1) * debug_swap->external_sym_size);
(*debug_swap->swap_sym_in) (abfd, sym_ptr, &sym);
@@ -1797,12 +1810,14 @@ mk_fdrtab (bfd *abfd,
tab->fdr = fdr_ptr;
++tab;
}
+ len = tab - line_info->fdrtab;
+ line_info->fdrtab_len = len;
/* Finally, the table is sorted in increasing memory-address order.
The table is mostly sorted already, but there are cases (e.g.,
static functions in include files), where this does not hold.
Use "odump -PFv" to verify... */
- qsort (line_info->fdrtab, (size_t) len,
+ qsort (line_info->fdrtab, len,
sizeof (struct ecoff_fdrtab_entry), cmp_fdrtab_entry);
return true;
--
Alan Modra
Australia Development Lab, IBM
reply other threads:[~2023-02-17 2:38 UTC|newest]
Thread overview: [no followups] expand[flat|nested] mbox.gz Atom feed
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=Y+7ouisD+WH2nZn5@squeak.grove.modra.org \
--to=amodra@gmail.com \
--cc=binutils@sourceware.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).