* objcopy buffer overflow
@ 2021-11-01 12:04 Alan Modra
0 siblings, 0 replies; only message in thread
From: Alan Modra @ 2021-11-01 12:04 UTC (permalink / raw)
To: binutils
"tocopy" in this code was an int, which when the size to be copied was
larger than MAXINT could result in tocopy being negative. A negative
value of course is less than BUFSIZE, but when converted to
bfd_size_type is extremely large. This problem doesn't need a 2G size
element in an archive, just an element that is claimed to be that big
on some target that doesn't sanity check the size. See next patch.
PR 995
* objcopy.c (copy_unknown_object): Correct calculation of "tocopy".
Use better variable types.
diff --git a/binutils/objcopy.c b/binutils/objcopy.c
index 0e7400fe4cb..e0d52d114fe 100644
--- a/binutils/objcopy.c
+++ b/binutils/objcopy.c
@@ -1894,9 +1894,8 @@ static bool
copy_unknown_object (bfd *ibfd, bfd *obfd)
{
char *cbuf;
- int tocopy;
- long ncopied;
- long size;
+ bfd_size_type tocopy;
+ off_t size;
struct stat buf;
if (bfd_stat_arch_elt (ibfd, &buf) != 0)
@@ -1924,30 +1923,28 @@ copy_unknown_object (bfd *ibfd, bfd *obfd)
bfd_get_archive_filename (ibfd), bfd_get_filename (obfd));
cbuf = (char *) xmalloc (BUFSIZE);
- ncopied = 0;
- while (ncopied < size)
+ while (size != 0)
{
- tocopy = size - ncopied;
- if (tocopy > BUFSIZE)
+ if (size > BUFSIZE)
tocopy = BUFSIZE;
+ else
+ tocopy = size;
- if (bfd_bread (cbuf, (bfd_size_type) tocopy, ibfd)
- != (bfd_size_type) tocopy)
+ if (bfd_bread (cbuf, tocopy, ibfd) != tocopy)
{
bfd_nonfatal_message (NULL, ibfd, NULL, NULL);
free (cbuf);
return false;
}
- if (bfd_bwrite (cbuf, (bfd_size_type) tocopy, obfd)
- != (bfd_size_type) tocopy)
+ if (bfd_bwrite (cbuf, tocopy, obfd) != tocopy)
{
bfd_nonfatal_message (NULL, obfd, NULL, NULL);
free (cbuf);
return false;
}
- ncopied += tocopy;
+ size -= tocopy;
}
/* We should at least to be able to read it back when copying an
--
Alan Modra
Australia Development Lab, IBM
^ permalink raw reply [flat|nested] only message in thread
only message in thread, other threads:[~2021-11-01 12:04 UTC | newest]
Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-11-01 12:04 objcopy buffer overflow Alan Modra
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).