From: Alan Modra <amodra@gmail.com>
To: binutils@sourceware.org
Subject: Add ECOFF Symbolic Header sanity checks
Date: Fri, 3 Feb 2023 16:10:53 +1030 [thread overview]
Message-ID: <Y9yeZbU4atFWrl5i@squeak.grove.modra.org> (raw)
Anti-fuzzer measures. The checks don't ensure the various elements in
the header are distinct, but that isn't important as far as making
sure we don't overrun the buffer containing all the elements. Also,
we now don't care about offsets where the corresponding count is zero.
* ecoff.c (_bfd_ecoff_slurp_symbolic_info): Sanity check offsets
in debug->symbolic_header.
diff --git a/bfd/ecoff.c b/bfd/ecoff.c
index 717d2fa2c75..48f33df630e 100644
--- a/bfd/ecoff.c
+++ b/bfd/ecoff.c
@@ -527,12 +527,24 @@ _bfd_ecoff_slurp_symbolic_info (bfd *abfd,
documented section. And the ordering of the sections varies between
statically and dynamically linked executables.
If bfd supports SEEK_END someday, this code could be simplified. */
- raw_end = 0;
+ raw_end = raw_base;
#define UPDATE_RAW_END(start, count, size) \
- cb_end = internal_symhdr->start + internal_symhdr->count * (size); \
- if (cb_end > raw_end) \
- raw_end = cb_end
+ do \
+ if (internal_symhdr->count != 0) \
+ { \
+ if (internal_symhdr->start < raw_base) \
+ goto err; \
+ if (_bfd_mul_overflow ((unsigned long) internal_symhdr->count, \
+ (size), &amt)) \
+ goto err; \
+ cb_end = internal_symhdr->start + amt; \
+ if (cb_end < internal_symhdr->start) \
+ goto err; \
+ if (cb_end > raw_end) \
+ raw_end = cb_end; \
+ } \
+ while (0)
UPDATE_RAW_END (cbLineOffset, cbLine, sizeof (unsigned char));
UPDATE_RAW_END (cbDnOffset, idnMax, backend->debug_swap.external_dnr_size);
@@ -599,6 +611,7 @@ _bfd_ecoff_slurp_symbolic_info (bfd *abfd,
if (_bfd_mul_overflow ((unsigned long) internal_symhdr->ifdMax,
sizeof (struct fdr), &amt))
{
+ err:
bfd_set_error (bfd_error_file_too_big);
return false;
}
--
Alan Modra
Australia Development Lab, IBM
reply other threads:[~2023-02-03 5:40 UTC|newest]
Thread overview: [no followups] expand[flat|nested] mbox.gz Atom feed
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=Y9yeZbU4atFWrl5i@squeak.grove.modra.org \
--to=amodra@gmail.com \
--cc=binutils@sourceware.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).