[binutils-gdb] PR25961, buffer overflow in coff_swap_aux_in

public inbox for gdb-testers@sourceware.org
help / color / mirror / Atom feed

From: gdb-buildbot@sergiodj.net
To: gdb-testers@sourceware.org
Subject: [binutils-gdb] PR25961, buffer overflow in coff_swap_aux_in
Date: Tue, 26 May 2020 16:26:34 -0400	[thread overview]
Message-ID: <4d5acb1ea570f04f8020338bad6918dfe76b785c@gdb-build> (raw)

*** TEST RESULTS FOR COMMIT 4d5acb1ea570f04f8020338bad6918dfe76b785c ***

commit 4d5acb1ea570f04f8020338bad6918dfe76b785c
Author:     Alan Modra <amodra@gmail.com>
AuthorDate: Mon May 11 18:00:31 2020 +0930
Commit:     Alan Modra <amodra@gmail.com>
CommitDate: Mon May 11 18:11:26 2020 +0930

    PR25961, buffer overflow in coff_swap_aux_in
    
            PR 25961
            * coffgen.c (coff_get_normalized_symtab): Check that buffer
            contains required number of auxents before processing any auxent.
            * coffswap.h (coff_swap_aux_in <C_FILE>): Only swap in extended
            file name from auxents for PE.

diff --git a/bfd/ChangeLog b/bfd/ChangeLog
index 19ecf89292..38ff45537b 100644
--- a/bfd/ChangeLog
+++ b/bfd/ChangeLog
@@ -1,3 +1,11 @@
+2020-05-11  Alan Modra  <amodra@gmail.com>
+
+	PR 25961
+	* coffgen.c (coff_get_normalized_symtab): Check that buffer
+	contains required number of auxents before processing any auxent.
+	* coffswap.h (coff_swap_aux_in <C_FILE>): Only swap in extended
+	file name from auxents for PE.
+
 2020-05-04  Gunther Nikl  <gnikl@justmail.de>
 
 	* aout-cris.c (DEFAULT_ARCH): Delete define.
diff --git a/bfd/coffgen.c b/bfd/coffgen.c
index 6d84d51284..96140e0ad2 100644
--- a/bfd/coffgen.c
+++ b/bfd/coffgen.c
@@ -1818,6 +1818,13 @@ coff_get_normalized_symtab (bfd *abfd)
       symbol_ptr = internal_ptr;
       internal_ptr->is_sym = TRUE;
 
+      /* PR 17512: Prevent buffer overrun.  */
+      if (symbol_ptr->u.syment.n_numaux > (raw_end - raw_src) / symesz)
+	{
+	  bfd_release (abfd, internal);
+	  return NULL;
+	}
+
       for (i = 0;
 	   i < symbol_ptr->u.syment.n_numaux;
 	   i++)
@@ -1825,13 +1832,6 @@ coff_get_normalized_symtab (bfd *abfd)
 	  internal_ptr++;
 	  raw_src += symesz;
 
-	  /* PR 17512: Prevent buffer overrun.  */
-	  if (raw_src >= raw_end || internal_ptr >= internal_end)
-	    {
-	      bfd_release (abfd, internal);
-	      return NULL;
-	    }
-
 	  bfd_coff_swap_aux_in (abfd, (void *) raw_src,
 				symbol_ptr->u.syment.n_type,
 				symbol_ptr->u.syment.n_sclass,
diff --git a/bfd/coffswap.h b/bfd/coffswap.h
index 7c0be22107..f75001e0d2 100644
--- a/bfd/coffswap.h
+++ b/bfd/coffswap.h
@@ -399,7 +399,7 @@ coff_swap_aux_in (bfd *abfd,
 #if FILNMLEN != E_FILNMLEN
 #error we need to cope with truncating or extending FILNMLEN
 #else
-	  if (numaux > 1)
+	  if (numaux > 1 && coff_data (abfd)->pe)
 	    {
 	      if (indx == 0)
 		memcpy (in->x_file.x_fname, ext->x_file.x_fname,

next             reply	other threads:[~2020-05-26 20:26 UTC|newest]

Thread overview: 8+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2020-05-26 20:26 gdb-buildbot [this message]
2020-05-26 20:26 ` Failures on Fedora-i686, branch master gdb-buildbot
2020-05-26 20:39 ` Failures on Fedora-x86_64-cc-with-index, " gdb-buildbot
2020-05-26 21:03 ` Failures on Fedora-x86_64-m32, " gdb-buildbot
2020-05-26 21:47 ` Failures on Fedora-x86_64-native-extended-gdbserver-m32, " gdb-buildbot
2020-05-26 21:57 ` Failures on Fedora-x86_64-native-extended-gdbserver-m64, " gdb-buildbot
2020-05-26 23:50 ` Failures on Fedora-x86_64-native-gdbserver-m32, " gdb-buildbot
2020-05-27  0:00 ` Failures on Fedora-x86_64-native-gdbserver-m64, " gdb-buildbot

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=4d5acb1ea570f04f8020338bad6918dfe76b785c@gdb-build \
    --to=gdb-buildbot@sergiodj.net \
    --cc=gdb-testers@sourceware.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).