darkkirb/old-cross-binutils
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

Fixes for memory access violations exposed by fuzzinf various binaries.

Browse source 
PR binutils/17512
	* dwarf.c (get_encoded_value): Check for an encoded size of 0.
	(display_debug_lines_raw): Check for an invalid line range value.
	(display_debug_frames): Check for corrupt augmentation data.

	* coffgen.c (coff_get_normalized_symtab): Check for an excessive
	number of auxillary entries.
	* ieee.c (next_byte): Convert to a function.  Return FALSE if the
	next byte is beyond the end of the buffer.
	(parse_int): Test the return value of next_byte.
	(parse_expression): Convert to boolean.  Return FALSE if the
	parsing failed.  Test the return value of next_byte.
	(ieee_seek): Convert to a function.  Return FALSE if the seek goes
	beyond the end of the buffer.
	(ieee_slurp_external_symbols): Test the return value of ieee_seek
	and next_byte.
	(ieee_slurp_sections): Convert to boolean.  Return FALSE if the
	operation failed.  Test the return value of ieee_seek and
	next_byte.
	(ieee_archive_p): Test the return value of ieee_seek and
	next_byte.
	(do_one): Likewise.
	(ieee_slurp_section_data): Likewise.
	(ieee_object_p): Likewise.  Store the size of the buffer in the
	total_amt field in the header.
	* libieee.h (common_header_type): Add amt field.
	* mach-o.c (bfd_mach_o_canonicalize_one_reloc): Check that the
	reloc's value is within range.
	(bfd_mach_o_read_symtab_symbols): Nullify the symbols field if the
	operation fails.
	* pei-x86_64.c (pex64_xdata_print_uwd_codes): Replace abort with
	an error message.
	(pex64_dump_xdata): Check for buffer overflows.
	* versados.c (process_otr): Check that the section exists before
	taking its size.
	(versados_object_p): Make sure that enough data was read for the
	header to be checked.
	* vms-alpha.c (vms_get_remaining_object_record): Change
	read_so_far parameter to an unsigned int.  Check that the amount
	read is in range.
This commit is contained in:
Nick Clifton 2014-11-21 21:44:04 +00:00
parent 5974eba65b
commit 0a9d414aa1
10 changed files with 334 additions and 112 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

39
bfd/ChangeLog
View file

@ -1,3 +1,42 @@
2014-11-21 Nick Clifton <nickc@redhat.com>
PR binutils/17512
* coffgen.c (coff_get_normalized_symtab): Check for an excessive
number of auxillary entries.
* ieee.c (next_byte): Convert to a function. Return FALSE if the
next byte is beyond the end of the buffer.
(parse_int): Test the return value of next_byte.
(parse_expression): Convert to boolean. Return FALSE if the
parsing failed. Test the return value of next_byte.
(ieee_seek): Convert to a function. Return FALSE if the seek goes
beyond the end of the buffer.
(ieee_slurp_external_symbols): Test the return value of ieee_seek
and next_byte.
(ieee_slurp_sections): Convert to boolean. Return FALSE if the
operation failed. Test the return value of ieee_seek and
next_byte.
(ieee_archive_p): Test the return value of ieee_seek and
next_byte.
(do_one): Likewise.
(ieee_slurp_section_data): Likewise.
(ieee_object_p): Likewise. Store the size of the buffer in the
total_amt field in the header.
* libieee.h (common_header_type): Add amt field.
* mach-o.c (bfd_mach_o_canonicalize_one_reloc): Check that the
reloc's value is within range.
(bfd_mach_o_read_symtab_symbols): Nullify the symbols field if the
operation fails.
* pei-x86_64.c (pex64_xdata_print_uwd_codes): Replace abort with
an error message.
(pex64_dump_xdata): Check for buffer overflows.
* versados.c (process_otr): Check that the section exists before
taking its size.
(versados_object_p): Make sure that enough data was read for the
header to be checked.
* vms-alpha.c (vms_get_remaining_object_record): Change
read_so_far parameter to an unsigned int. Check that the amount
read is in range.
2014-11-21 H.J. Lu <hongjiu.lu@intel.com> 2014-11-21 H.J. Lu <hongjiu.lu@intel.com>
* elf64-x86-64.c (elf_x86_64_finish_dynamic_symbol): Optimize * elf64-x86-64.c (elf_x86_64_finish_dynamic_symbol): Optimize

17
bfd/coffgen.c
View file

@ -1808,6 +1808,16 @@ coff_get_normalized_symtab (bfd *abfd)
symbol_ptr = internal_ptr; symbol_ptr = internal_ptr;
internal_ptr->is_sym = TRUE; internal_ptr->is_sym = TRUE;
/* PR 17512: file: 1353-1166-0.004. */
if (symbol_ptr->u.syment.n_sclass == C_FILE
&& symbol_ptr->u.syment.n_numaux > 0
&& raw_src + symesz + symbol_ptr->u.syment.n_numaux
* sizeof (union internal_auxent) >= raw_end)
{
bfd_release (abfd, internal);
return NULL;
}
for (i = 0; for (i = 0;
i < symbol_ptr->u.syment.n_numaux; i < symbol_ptr->u.syment.n_numaux;
i++) i++)
@ -1815,14 +1825,19 @@ coff_get_normalized_symtab (bfd *abfd)
internal_ptr++; internal_ptr++;
/* PR 17512: Prevent buffer overrun. */ /* PR 17512: Prevent buffer overrun. */
if (internal_ptr >= internal_end) if (internal_ptr >= internal_end)
return NULL; {
bfd_release (abfd, internal);
return NULL;
}
raw_src += symesz; raw_src += symesz;
bfd_coff_swap_aux_in (abfd, (void *) raw_src, bfd_coff_swap_aux_in (abfd, (void *) raw_src,
symbol_ptr->u.syment.n_type, symbol_ptr->u.syment.n_type,
symbol_ptr->u.syment.n_sclass, symbol_ptr->u.syment.n_sclass,
(int) i, symbol_ptr->u.syment.n_numaux, (int) i, symbol_ptr->u.syment.n_numaux,
&(internal_ptr->u.auxent)); &(internal_ptr->u.auxent));
internal_ptr->is_sym = FALSE; internal_ptr->is_sym = FALSE;
coff_pointerize_aux (abfd, internal, symbol_ptr, i, coff_pointerize_aux (abfd, internal, symbol_ptr, i,
internal_ptr); internal_ptr);

261
bfd/ieee.c
View file

@ -170,9 +170,16 @@ ieee_write_id (bfd *abfd, const char *id)
standard requires. */ standard requires. */
#define this_byte(ieee) *((ieee)->input_p) #define this_byte(ieee) *((ieee)->input_p)
#define next_byte(ieee) ((ieee)->input_p++)
#define this_byte_and_next(ieee) (*((ieee)->input_p++)) #define this_byte_and_next(ieee) (*((ieee)->input_p++))
static bfd_boolean
next_byte (common_header_type * ieee)
{
ieee->input_p++;
return ieee->input_p < ieee->last_byte;
}
static unsigned short static unsigned short
read_2bytes (common_header_type *ieee) read_2bytes (common_header_type *ieee)
{ {
@ -348,15 +355,15 @@ parse_int (common_header_type *ieee, bfd_vma *value_ptr)
if (value >= 0 && value <= 127) if (value >= 0 && value <= 127)
{ {
*value_ptr = value; *value_ptr = value;
next_byte (ieee); return next_byte (ieee);
return TRUE;
} }
else if (value >= 0x80 && value <= 0x88) else if (value >= 0x80 && value <= 0x88)
{ {
unsigned int count = value & 0xf; unsigned int count = value & 0xf;
result = 0; result = 0;
next_byte (ieee); if (! next_byte (ieee))
return FALSE;
while (count) while (count)
{ {
result = (result << 8) | this_byte_and_next (ieee); result = (result << 8) | this_byte_and_next (ieee);
@ -496,7 +503,7 @@ static reloc_howto_type rel8_howto =
static ieee_symbol_index_type NOSYMBOL = {0, 0}; static ieee_symbol_index_type NOSYMBOL = {0, 0};
static void static bfd_boolean
parse_expression (ieee_data_type *ieee, parse_expression (ieee_data_type *ieee,
bfd_vma *value, bfd_vma *value,
ieee_symbol_index_type *symbol, ieee_symbol_index_type *symbol,
@ -529,68 +536,83 @@ parse_expression (ieee_data_type *ieee,
{ {
int section_n; int section_n;
next_byte (&(ieee->h)); if (! next_byte (&(ieee->h)))
return FALSE;
*pcrel = TRUE; *pcrel = TRUE;
section_n = must_parse_int (&(ieee->h)); section_n = must_parse_int (&(ieee->h));
(void) section_n; (void) section_n;
PUSH (NOSYMBOL, bfd_abs_section_ptr, 0); PUSH (NOSYMBOL, bfd_abs_section_ptr, 0);
break; break;
} }
case ieee_variable_L_enum: case ieee_variable_L_enum:
/* L variable address of section N. */ /* L variable address of section N. */
next_byte (&(ieee->h)); if (! next_byte (&(ieee->h)))
return FALSE;
PUSH (NOSYMBOL, ieee->section_table[must_parse_int (&(ieee->h))], 0); PUSH (NOSYMBOL, ieee->section_table[must_parse_int (&(ieee->h))], 0);
break; break;
case ieee_variable_R_enum: case ieee_variable_R_enum:
/* R variable, logical address of section module. */ /* R variable, logical address of section module. */
/* FIXME, this should be different to L. */ /* FIXME, this should be different to L. */
next_byte (&(ieee->h)); if (! next_byte (&(ieee->h)))
return FALSE;
PUSH (NOSYMBOL, ieee->section_table[must_parse_int (&(ieee->h))], 0); PUSH (NOSYMBOL, ieee->section_table[must_parse_int (&(ieee->h))], 0);
break; break;
case ieee_variable_S_enum: case ieee_variable_S_enum:
/* S variable, size in MAUS of section module. */ /* S variable, size in MAUS of section module. */
next_byte (&(ieee->h)); if (! next_byte (&(ieee->h)))
return FALSE;
PUSH (NOSYMBOL, PUSH (NOSYMBOL,
0, 0,
ieee->section_table[must_parse_int (&(ieee->h))]->size); ieee->section_table[must_parse_int (&(ieee->h))]->size);
break; break;
case ieee_variable_I_enum: case ieee_variable_I_enum:
/* Push the address of variable n. */ /* Push the address of variable n. */
{ {
ieee_symbol_index_type sy; ieee_symbol_index_type sy;
next_byte (&(ieee->h)); if (! next_byte (&(ieee->h)))
return FALSE;
sy.index = (int) must_parse_int (&(ieee->h)); sy.index = (int) must_parse_int (&(ieee->h));
sy.letter = 'I'; sy.letter = 'I';
PUSH (sy, bfd_abs_section_ptr, 0); PUSH (sy, bfd_abs_section_ptr, 0);
} }
break; break;
case ieee_variable_X_enum: case ieee_variable_X_enum:
/* Push the address of external variable n. */ /* Push the address of external variable n. */
{ {
ieee_symbol_index_type sy; ieee_symbol_index_type sy;
next_byte (&(ieee->h)); if (! next_byte (&(ieee->h)))
return FALSE;
sy.index = (int) (must_parse_int (&(ieee->h))); sy.index = (int) (must_parse_int (&(ieee->h)));
sy.letter = 'X'; sy.letter = 'X';
PUSH (sy, bfd_und_section_ptr, 0); PUSH (sy, bfd_und_section_ptr, 0);
} }
break; break;
case ieee_function_minus_enum: case ieee_function_minus_enum:
{ {
bfd_vma value1, value2; bfd_vma value1, value2;
asection *section1, *section_dummy; asection *section1, *section_dummy;
ieee_symbol_index_type sy; ieee_symbol_index_type sy;
next_byte (&(ieee->h)); if (! next_byte (&(ieee->h)))
return FALSE;
POP (sy, section1, value1); POP (sy, section1, value1);
POP (sy, section_dummy, value2); POP (sy, section_dummy, value2);
PUSH (sy, section1 ? section1 : section_dummy, value2 - value1); PUSH (sy, section1 ? section1 : section_dummy, value2 - value1);
} }
break; break;
case ieee_function_plus_enum: case ieee_function_plus_enum:
{ {
bfd_vma value1, value2; bfd_vma value1, value2;
@ -599,7 +621,8 @@ parse_expression (ieee_data_type *ieee,
ieee_symbol_index_type sy1; ieee_symbol_index_type sy1;
ieee_symbol_index_type sy2; ieee_symbol_index_type sy2;
next_byte (&(ieee->h)); if (! next_byte (&(ieee->h)))
return FALSE;
POP (sy1, section1, value1); POP (sy1, section1, value1);
POP (sy2, section2, value2); POP (sy2, section2, value2);
@ -608,6 +631,7 @@ parse_expression (ieee_data_type *ieee,
value1 + value2); value1 + value2);
} }
break; break;
default: default:
{ {
bfd_vma va; bfd_vma va;
@ -644,18 +668,10 @@ parse_expression (ieee_data_type *ieee,
POP (*symbol, dummy, *value); POP (*symbol, dummy, *value);
if (section) if (section)
*section = dummy; *section = dummy;
return TRUE;
} }
#define ieee_seek(ieee, offset) \
do \
{ \
ieee->h.input_p = ieee->h.first_byte + offset; \
ieee->h.last_byte = (ieee->h.first_byte \
+ ieee_part_after (ieee, offset)); \
} \
while (0)
#define ieee_pos(ieee) \ #define ieee_pos(ieee) \
(ieee->h.input_p - ieee->h.first_byte) (ieee->h.input_p - ieee->h.first_byte)
@ -676,6 +692,22 @@ ieee_part_after (ieee_data_type *ieee, file_ptr here)
return after; return after;
} }
static bfd_boolean
ieee_seek (ieee_data_type * ieee, file_ptr offset)
{
/* PR 17512: file: 017-1157-0.004. */
if (offset < 0 || (bfd_size_type) offset >= ieee->h.total_amt)
{
ieee->h.input_p = ieee->h.first_byte + ieee->h.total_amt;
ieee->h.last_byte = ieee->h.input_p;
return FALSE;
}
ieee->h.input_p = ieee->h.first_byte + offset;
ieee->h.last_byte = (ieee->h.first_byte + ieee_part_after (ieee, offset));
return TRUE;
}
static unsigned int last_index; static unsigned int last_index;
static char last_type; /* Is the index for an X or a D. */ static char last_type; /* Is the index for an X or a D. */
@ -730,14 +762,16 @@ ieee_slurp_external_symbols (bfd *abfd)
last_index = 0xffffff; last_index = 0xffffff;
ieee->symbol_table_full = TRUE; ieee->symbol_table_full = TRUE;
ieee_seek (ieee, offset); if (! ieee_seek (ieee, offset))
return FALSE;
while (loop) while (loop)
{ {
switch (this_byte (&(ieee->h))) switch (this_byte (&(ieee->h)))
{ {
case ieee_nn_record: case ieee_nn_record:
next_byte (&(ieee->h)); if (! next_byte (&(ieee->h)))
return FALSE;
symbol = get_symbol (abfd, ieee, symbol, &symbol_count, symbol = get_symbol (abfd, ieee, symbol, &symbol_count,
& prev_symbols_ptr, & prev_symbols_ptr,
@ -750,8 +784,10 @@ ieee_slurp_external_symbols (bfd *abfd)
symbol->symbol.udata.p = NULL; symbol->symbol.udata.p = NULL;
symbol->symbol.flags = BSF_NO_FLAGS; symbol->symbol.flags = BSF_NO_FLAGS;
break; break;
case ieee_external_symbol_enum: case ieee_external_symbol_enum:
next_byte (&(ieee->h)); if (! next_byte (&(ieee->h)))
return FALSE;
symbol = get_symbol (abfd, ieee, symbol, &symbol_count, symbol = get_symbol (abfd, ieee, symbol, &symbol_count,
&prev_symbols_ptr, &prev_symbols_ptr,
@ -842,6 +878,7 @@ ieee_slurp_external_symbols (bfd *abfd)
} }
} }
break; break;
case ieee_value_record_enum >> 8: case ieee_value_record_enum >> 8:
{ {
unsigned int symbol_name_index; unsigned int symbol_name_index;
@ -849,17 +886,20 @@ ieee_slurp_external_symbols (bfd *abfd)
bfd_boolean pcrel_ignore; bfd_boolean pcrel_ignore;
unsigned int extra; unsigned int extra;
next_byte (&(ieee->h)); if (! next_byte (&(ieee->h)))
next_byte (&(ieee->h)); return FALSE;
if (! next_byte (&(ieee->h)))
return FALSE;
symbol_name_index = must_parse_int (&(ieee->h)); symbol_name_index = must_parse_int (&(ieee->h));
(void) symbol_name_index; (void) symbol_name_index;
parse_expression (ieee, if (! parse_expression (ieee,
&symbol->symbol.value, &symbol->symbol.value,
&symbol_ignore, &symbol_ignore,
&pcrel_ignore, &pcrel_ignore,
&extra, &extra,
&symbol->symbol.section); &symbol->symbol.section))
return FALSE;
/* Fully linked IEEE-695 files tend to give every symbol /* Fully linked IEEE-695 files tend to give every symbol
an absolute value. Try to convert that back into a an absolute value. Try to convert that back into a
@ -892,7 +932,9 @@ ieee_slurp_external_symbols (bfd *abfd)
bfd_vma size; bfd_vma size;
bfd_vma value; bfd_vma value;
next_byte (&(ieee->h)); if (! next_byte (&(ieee->h)))
return FALSE;
/* Throw away the external reference index. */ /* Throw away the external reference index. */
(void) must_parse_int (&(ieee->h)); (void) must_parse_int (&(ieee->h));
/* Fetch the default size if not resolved. */ /* Fetch the default size if not resolved. */
@ -907,7 +949,8 @@ ieee_slurp_external_symbols (bfd *abfd)
break; break;
case ieee_external_reference_enum: case ieee_external_reference_enum:
next_byte (&(ieee->h)); if (! next_byte (&(ieee->h)))
return FALSE;
symbol = get_symbol (abfd, ieee, symbol, &symbol_count, symbol = get_symbol (abfd, ieee, symbol, &symbol_count,
&prev_reference_ptr, &prev_reference_ptr,
@ -1092,7 +1135,7 @@ get_section_entry (bfd *abfd, ieee_data_type *ieee, unsigned int sindex)
return ieee->section_table[sindex]; return ieee->section_table[sindex];
} }
static void static bfd_boolean
ieee_slurp_sections (bfd *abfd) ieee_slurp_sections (bfd *abfd)
{ {
ieee_data_type *ieee = IEEE_DATA (abfd); ieee_data_type *ieee = IEEE_DATA (abfd);
@ -1103,7 +1146,9 @@ ieee_slurp_sections (bfd *abfd)
{ {
bfd_byte section_type[3]; bfd_byte section_type[3];
ieee_seek (ieee, offset); if (! ieee_seek (ieee, offset))
return FALSE;
while (TRUE) while (TRUE)
{ {
switch (this_byte (&(ieee->h))) switch (this_byte (&(ieee->h)))
@ -1113,7 +1158,8 @@ ieee_slurp_sections (bfd *abfd)
asection *section; asection *section;
unsigned int section_index; unsigned int section_index;
next_byte (&(ieee->h)); if (! next_byte (&(ieee->h)))
return FALSE;
section_index = must_parse_int (&(ieee->h)); section_index = must_parse_int (&(ieee->h));
section = get_section_entry (abfd, ieee, section_index); section = get_section_entry (abfd, ieee, section_index);
@ -1132,22 +1178,26 @@ ieee_slurp_sections (bfd *abfd)
{ {
/* AS Absolute section attributes. */ /* AS Absolute section attributes. */
case 0xD3: case 0xD3:
next_byte (&(ieee->h)); if (! next_byte (&(ieee->h)))
return FALSE;
section_type[2] = this_byte (&(ieee->h)); section_type[2] = this_byte (&(ieee->h));
switch (section_type[2]) switch (section_type[2])
{ {
case 0xD0: case 0xD0:
/* Normal code. */ /* Normal code. */
next_byte (&(ieee->h)); if (! next_byte (&(ieee->h)))
return FALSE;
section->flags |= SEC_CODE; section->flags |= SEC_CODE;
break; break;
case 0xC4: case 0xC4:
/* Normal data. */ /* Normal data. */
next_byte (&(ieee->h)); if (! next_byte (&(ieee->h)))
return FALSE;
section->flags |= SEC_DATA; section->flags |= SEC_DATA;
break; break;
case 0xD2: case 0xD2:
next_byte (&(ieee->h)); if (! next_byte (&(ieee->h)))
return FALSE;
/* Normal rom data. */ /* Normal rom data. */
section->flags |= SEC_ROM | SEC_DATA; section->flags |= SEC_ROM | SEC_DATA;
break; break;
@ -1164,15 +1214,18 @@ ieee_slurp_sections (bfd *abfd)
switch (section_type[1]) switch (section_type[1])
{ {
case 0xD0: /* Normal code (CP). */ case 0xD0: /* Normal code (CP). */
next_byte (&(ieee->h)); if (! next_byte (&(ieee->h)))
return FALSE;
section->flags |= SEC_CODE; section->flags |= SEC_CODE;
break; break;
case 0xC4: /* Normal data (CD). */ case 0xC4: /* Normal data (CD). */
next_byte (&(ieee->h)); if (! next_byte (&(ieee->h)))
return FALSE;
section->flags |= SEC_DATA; section->flags |= SEC_DATA;
break; break;
case 0xD2: /* Normal rom data (CR). */ case 0xD2: /* Normal rom data (CR). */
next_byte (&(ieee->h)); if (! next_byte (&(ieee->h)))
return FALSE;
section->flags |= SEC_ROM | SEC_DATA; section->flags |= SEC_ROM | SEC_DATA;
break; break;
default: default:
@ -1201,7 +1254,8 @@ ieee_slurp_sections (bfd *abfd)
bfd_vma value; bfd_vma value;
asection *section; asection *section;
next_byte (&(ieee->h)); if (! next_byte (&(ieee->h)))
return FALSE;
section_index = must_parse_int (&ieee->h); section_index = must_parse_int (&ieee->h);
section = get_section_entry (abfd, ieee, section_index); section = get_section_entry (abfd, ieee, section_index);
if (section_index > ieee->section_count) if (section_index > ieee->section_count)
@ -1251,15 +1305,17 @@ ieee_slurp_sections (bfd *abfd)
(void) must_parse_int (&(ieee->h)); (void) must_parse_int (&(ieee->h));
break; break;
default: default:
return; return TRUE;
} }
} }
break; break;
default: default:
return; return TRUE;
} }
} }
} }
return TRUE;
} }
/* Make a section for the debugging information, if any. We don't try /* Make a section for the debugging information, if any. We don't try
@ -1323,7 +1379,8 @@ ieee_archive_p (bfd *abfd)
if (this_byte (&(ieee->h)) != Module_Beginning) if (this_byte (&(ieee->h)) != Module_Beginning)
goto got_wrong_format_error; goto got_wrong_format_error;
next_byte (&(ieee->h)); (void) next_byte (&(ieee->h));
library = read_id (&(ieee->h)); library = read_id (&(ieee->h));
if (strcmp (library, "LIBRARY") != 0) if (strcmp (library, "LIBRARY") != 0)
goto got_wrong_format_error; goto got_wrong_format_error;
@ -1334,7 +1391,7 @@ ieee_archive_p (bfd *abfd)
ieee->element_count = 0; ieee->element_count = 0;
ieee->element_index = 0; ieee->element_index = 0;
next_byte (&(ieee->h)); /* Drop the ad part. */ (void) next_byte (&(ieee->h)); /* Drop the ad part. */
must_parse_int (&(ieee->h)); /* And the two dummy numbers. */ must_parse_int (&(ieee->h)); /* And the two dummy numbers. */
must_parse_int (&(ieee->h)); must_parse_int (&(ieee->h));
@ -1407,8 +1464,9 @@ ieee_archive_p (bfd *abfd)
ieee->h.first_byte = buffer; ieee->h.first_byte = buffer;
ieee->h.input_p = buffer; ieee->h.input_p = buffer;
next_byte (&(ieee->h)); /* Drop F8. */ (void) next_byte (&(ieee->h)); /* Drop F8. */
next_byte (&(ieee->h)); /* Drop 14. */ if (! next_byte (&(ieee->h))) /* Drop 14. */
goto error_return;
must_parse_int (&(ieee->h)); /* Drop size of block. */ must_parse_int (&(ieee->h)); /* Drop size of block. */
if (must_parse_int (&(ieee->h)) != 0) if (must_parse_int (&(ieee->h)) != 0)
@ -1467,7 +1525,8 @@ do_one (ieee_data_type *ieee,
unsigned int number_of_maus; unsigned int number_of_maus;
unsigned int i; unsigned int i;
next_byte (&(ieee->h)); if (! next_byte (&(ieee->h)))
return FALSE;
number_of_maus = must_parse_int (&(ieee->h)); number_of_maus = must_parse_int (&(ieee->h));
for (i = 0; i < number_of_maus; i++) for (i = 0; i < number_of_maus; i++)
@ -1482,7 +1541,8 @@ do_one (ieee_data_type *ieee,
{ {
bfd_boolean loop = TRUE; bfd_boolean loop = TRUE;
next_byte (&(ieee->h)); if (! next_byte (&(ieee->h)))
return FALSE;
while (loop) while (loop)
{ {
switch (this_byte (&(ieee->h))) switch (this_byte (&(ieee->h)))
@ -1505,13 +1565,16 @@ do_one (ieee_data_type *ieee,
*(current_map->reloc_tail_ptr) = r; *(current_map->reloc_tail_ptr) = r;
current_map->reloc_tail_ptr = &r->next; current_map->reloc_tail_ptr = &r->next;
r->next = (ieee_reloc_type *) NULL; r->next = (ieee_reloc_type *) NULL;
next_byte (&(ieee->h)); if (! next_byte (&(ieee->h)))
/* abort();*/ return FALSE;
r->relent.sym_ptr_ptr = 0; r->relent.sym_ptr_ptr = 0;
parse_expression (ieee, if (! parse_expression (ieee,
&r->relent.addend, &r->relent.addend,
&r->symbol, &r->symbol,
&pcrel, &extra, &section); &pcrel, &extra, &section))
return FALSE;
r->relent.address = current_map->pc; r->relent.address = current_map->pc;
s->flags |= SEC_RELOC; s->flags |= SEC_RELOC;
s->owner->flags |= HAS_RELOC; s->owner->flags |= HAS_RELOC;
@ -1521,7 +1584,8 @@ do_one (ieee_data_type *ieee,
if (this_byte (&(ieee->h)) == (int) ieee_comma) if (this_byte (&(ieee->h)) == (int) ieee_comma)
{ {
next_byte (&(ieee->h)); if (! next_byte (&(ieee->h)))
return FALSE;
/* Fetch number of bytes to pad. */ /* Fetch number of bytes to pad. */
extra = must_parse_int (&(ieee->h)); extra = must_parse_int (&(ieee->h));
}; };
@ -1529,13 +1593,16 @@ do_one (ieee_data_type *ieee,
switch (this_byte (&(ieee->h))) switch (this_byte (&(ieee->h)))
{ {
case ieee_function_signed_close_b_enum: case ieee_function_signed_close_b_enum:
next_byte (&(ieee->h)); if (! next_byte (&(ieee->h)))
return FALSE;
break; break;
case ieee_function_unsigned_close_b_enum: case ieee_function_unsigned_close_b_enum:
next_byte (&(ieee->h)); if (! next_byte (&(ieee->h)))
return FALSE;
break; break;
case ieee_function_either_close_b_enum: case ieee_function_either_close_b_enum:
next_byte (&(ieee->h)); if (! next_byte (&(ieee->h)))
return FALSE;
break; break;
default: default:
break; break;
@ -1634,7 +1701,8 @@ do_one (ieee_data_type *ieee,
for (i = 0; i < this_size; i++) for (i = 0; i < this_size; i++)
{ {
location_ptr[current_map->pc++] = this_byte (&(ieee->h)); location_ptr[current_map->pc++] = this_byte (&(ieee->h));
next_byte (&(ieee->h)); if (! next_byte (&(ieee->h)))
return FALSE;
} }
} }
else else
@ -1667,7 +1735,9 @@ ieee_slurp_section_data (bfd *abfd)
if (ieee->read_data) if (ieee->read_data)
return TRUE; return TRUE;
ieee->read_data = TRUE; ieee->read_data = TRUE;
ieee_seek (ieee, ieee->w.r.data_part);
if (! ieee_seek (ieee, ieee->w.r.data_part))
return FALSE;
/* Allocate enough space for all the section contents. */ /* Allocate enough space for all the section contents. */
for (s = abfd->sections; s != (asection *) NULL; s = s->next) for (s = abfd->sections; s != (asection *) NULL; s = s->next)
@ -1693,7 +1763,8 @@ ieee_slurp_section_data (bfd *abfd)
return TRUE; return TRUE;
case ieee_set_current_section_enum: case ieee_set_current_section_enum:
next_byte (&(ieee->h)); if (! next_byte (&(ieee->h)))
return FALSE;
section_number = must_parse_int (&(ieee->h)); section_number = must_parse_int (&(ieee->h));
s = ieee->section_table[section_number]; s = ieee->section_table[section_number];
s->flags |= SEC_LOAD | SEC_HAS_CONTENTS; s->flags |= SEC_LOAD | SEC_HAS_CONTENTS;
@ -1706,7 +1777,8 @@ ieee_slurp_section_data (bfd *abfd)
break; break;
case ieee_e2_first_byte_enum: case ieee_e2_first_byte_enum:
next_byte (&(ieee->h)); if (! next_byte (&(ieee->h)))
return FALSE;
switch (this_byte (&(ieee->h))) switch (this_byte (&(ieee->h)))
{ {
case ieee_set_current_pc_enum & 0xff: case ieee_set_current_pc_enum & 0xff:
@ -1716,21 +1788,28 @@ ieee_slurp_section_data (bfd *abfd)
unsigned int extra; unsigned int extra;
bfd_boolean pcrel; bfd_boolean pcrel;
next_byte (&(ieee->h)); if (! next_byte (&(ieee->h)))
return FALSE;
must_parse_int (&(ieee->h)); /* Throw away section #. */ must_parse_int (&(ieee->h)); /* Throw away section #. */
parse_expression (ieee, &value, if (! parse_expression (ieee, &value,
&symbol, &symbol,
&pcrel, &extra, &pcrel, &extra,
0); 0))
return FALSE;
current_map->pc = value; current_map->pc = value;
BFD_ASSERT ((unsigned) (value - s->vma) <= s->size); BFD_ASSERT ((unsigned) (value - s->vma) <= s->size);
} }
break; break;
case ieee_value_starting_address_enum & 0xff: case ieee_value_starting_address_enum & 0xff:
next_byte (&(ieee->h)); if (! next_byte (&(ieee->h)))
return FALSE;
if (this_byte (&(ieee->h)) == ieee_function_either_open_b_enum) if (this_byte (&(ieee->h)) == ieee_function_either_open_b_enum)
next_byte (&(ieee->h)); {
if (! next_byte (&(ieee->h)))
return FALSE;
}
abfd->start_address = must_parse_int (&(ieee->h)); abfd->start_address = must_parse_int (&(ieee->h));
/* We've got to the end of the data now - */ /* We've got to the end of the data now - */
return TRUE; return TRUE;
@ -1748,7 +1827,8 @@ ieee_slurp_section_data (bfd *abfd)
unsigned int iterations; unsigned int iterations;
unsigned char *start; unsigned char *start;
next_byte (&(ieee->h)); if (! next_byte (&(ieee->h)))
return FALSE;
iterations = must_parse_int (&(ieee->h)); iterations = must_parse_int (&(ieee->h));
start = ieee->h.input_p; start = ieee->h.input_p;
if (start[0] == (int) ieee_load_constant_bytes_enum if (start[0] == (int) ieee_load_constant_bytes_enum
@ -1759,9 +1839,10 @@ ieee_slurp_section_data (bfd *abfd)
location_ptr[current_map->pc++] = start[2]; location_ptr[current_map->pc++] = start[2];
iterations--; iterations--;
} }
next_byte (&(ieee->h)); (void) next_byte (&(ieee->h));
next_byte (&(ieee->h)); (void) next_byte (&(ieee->h));
next_byte (&(ieee->h)); if (! next_byte (&(ieee->h)))
return FALSE;
} }
else else
{ {
@ -1806,6 +1887,7 @@ ieee_object_p (bfd *abfd)
goto got_wrong_format; goto got_wrong_format;
ieee->h.input_p = buffer; ieee->h.input_p = buffer;
ieee->h.total_amt = sizeof (buffer);
if (this_byte_and_next (&(ieee->h)) != Module_Beginning) if (this_byte_and_next (&(ieee->h)) != Module_Beginning)
goto got_wrong_format; goto got_wrong_format;
@ -1901,7 +1983,8 @@ ieee_object_p (bfd *abfd)
if (this_byte (&(ieee->h)) != (int) ieee_address_descriptor_enum) if (this_byte (&(ieee->h)) != (int) ieee_address_descriptor_enum)
goto fail; goto fail;
next_byte (&(ieee->h)); if (! next_byte (&(ieee->h)))
goto fail;
if (! parse_int (&(ieee->h), &ieee->ad.number_of_bits_mau)) if (! parse_int (&(ieee->h), &ieee->ad.number_of_bits_mau))
goto fail; goto fail;
@ -1912,7 +1995,10 @@ ieee_object_p (bfd *abfd)
/* If there is a byte order info, take it. */ /* If there is a byte order info, take it. */
if (this_byte (&(ieee->h)) == (int) ieee_variable_L_enum if (this_byte (&(ieee->h)) == (int) ieee_variable_L_enum
|| this_byte (&(ieee->h)) == (int) ieee_variable_M_enum) || this_byte (&(ieee->h)) == (int) ieee_variable_M_enum)
next_byte (&(ieee->h)); {
if (! next_byte (&(ieee->h)))
goto fail;
}
for (part = 0; part < N_W_VARIABLES; part++) for (part = 0; part < N_W_VARIABLES; part++)
{ {
@ -1943,12 +2029,17 @@ ieee_object_p (bfd *abfd)
goto fail; goto fail;
if (bfd_seek (abfd, (file_ptr) 0, SEEK_SET) != 0) if (bfd_seek (abfd, (file_ptr) 0, SEEK_SET) != 0)
goto fail; goto fail;
/* FIXME: Check return value. I'm not sure whether it needs to read /* FIXME: Check return value. I'm not sure whether it needs to read
the entire buffer or not. */ the entire buffer or not. */
bfd_bread ((void *) (IEEE_DATA (abfd)->h.first_byte), amt = bfd_bread ((void *) (IEEE_DATA (abfd)->h.first_byte),
(bfd_size_type) ieee->w.r.me_record + 1, abfd); (bfd_size_type) ieee->w.r.me_record + 1, abfd);
if (amt <= 0)
goto fail;
ieee_slurp_sections (abfd); IEEE_DATA (abfd)->h.total_amt = amt;
if (ieee_slurp_sections (abfd))
goto fail;
if (! ieee_slurp_debug (abfd)) if (! ieee_slurp_debug (abfd))
goto fail; goto fail;

1
bfd/libieee.h
View file

@ -66,6 +66,7 @@ typedef struct {
unsigned char *input_p; unsigned char *input_p;
unsigned char *first_byte; unsigned char *first_byte;
unsigned char *last_byte; unsigned char *last_byte;
bfd_size_type total_amt;
bfd *abfd; bfd *abfd;
} common_header_type ; } common_header_type ;

22
bfd/mach-o.c
View file

@ -1363,9 +1363,11 @@ bfd_mach_o_canonicalize_one_reloc (bfd *abfd,
} }
else else
{ {
/* PR 17512: file: 006-2964-0.004. */
if (num >= mdata->nsects)
return -1;
/* A section number. */ /* A section number. */
BFD_ASSERT (num <= mdata->nsects);
sym = mdata->sections[num - 1]->bfdsection->symbol_ptr_ptr; sym = mdata->sections[num - 1]->bfdsection->symbol_ptr_ptr;
/* For a symbol defined in section S, the addend (stored in the /* For a symbol defined in section S, the addend (stored in the
binary) contains the address of the section. To comply with binary) contains the address of the section. To comply with
@ -3660,10 +3662,8 @@ bfd_mach_o_read_symtab_symbols (bfd *abfd)
unsigned long i; unsigned long i;
if (sym == NULL || sym->symbols) if (sym == NULL || sym->symbols)
{ /* Return now if there are no symbols or if already loaded. */
/* Return now if there are no symbols or if already loaded. */ return TRUE;
return TRUE;
}
sym->symbols = bfd_alloc (abfd, sym->nsyms * sizeof (bfd_mach_o_asymbol)); sym->symbols = bfd_alloc (abfd, sym->nsyms * sizeof (bfd_mach_o_asymbol));
@ -3674,12 +3674,18 @@ bfd_mach_o_read_symtab_symbols (bfd *abfd)
} }
if (!bfd_mach_o_read_symtab_strtab (abfd)) if (!bfd_mach_o_read_symtab_strtab (abfd))
return FALSE; {
sym->symbols = NULL;
return FALSE;
}
for (i = 0; i < sym->nsyms; i++) for (i = 0; i < sym->nsyms; i++)
{ {
if (!bfd_mach_o_read_symtab_symbol (abfd, sym, &sym->symbols[i], i)) if (!bfd_mach_o_read_symtab_symbol (abfd, sym, &sym->symbols[i], i))
return FALSE; {
sym->symbols = NULL;
return FALSE;
}
} }
return TRUE; return TRUE;

39
bfd/pei-x86_64.c
View file

@ -276,8 +276,9 @@ pex64_xdata_print_uwd_codes (FILE *file, bfd *abfd,
fprintf (file, ", unknown(%u))", info); fprintf (file, ", unknown(%u))", info);
break; break;
default: default:
/* Already caught by the previous scan. */ /* PR 17512: file: 2245-7442-0.004. */
abort (); fprintf (file, _("Unknown: %x"), PEX64_UNWCODE_CODE (dta[1]));
break;
} }
if (unexpected) if (unexpected)
fprintf (file, " [Unexpected!]"); fprintf (file, " [Unexpected!]");
@ -317,20 +318,34 @@ pex64_dump_xdata (FILE *file, bfd *abfd,
bfd_vma vaddr; bfd_vma vaddr;
bfd_vma end_addr; bfd_vma end_addr;
bfd_vma addr = rf->rva_UnwindData; bfd_vma addr = rf->rva_UnwindData;
bfd_size_type sec_size = xdata_section->rawsize > 0 ? xdata_section->rawsize : xdata_section->size;
struct pex64_unwind_info ui; struct pex64_unwind_info ui;
vaddr = xdata_section->vma - pe_data (abfd)->pe_opthdr.ImageBase; vaddr = xdata_section->vma - pe_data (abfd)->pe_opthdr.ImageBase;
addr -= vaddr; addr -= vaddr;
if (endx) /* PR 17512: file: 2245-7442-0.004. */
end_addr = endx[0] - vaddr; if (addr >= sec_size)
else {
end_addr = (xdata_section->rawsize != 0 ? fprintf (file, _("warning: xdata section corrupt\n"));
xdata_section->rawsize : xdata_section->size); return;
}
if (endx)
{
end_addr = endx[0] - vaddr;
/* PR 17512: file: 2245-7442-0.004. */
if (end_addr > sec_size)
{
fprintf (file, _("warning: xdata section corrupt"));
end_addr = sec_size;
}
}
else
end_addr = sec_size;
pex64_get_unwind_info (abfd, &ui, &xdata[addr]); pex64_get_unwind_info (abfd, &ui, &xdata[addr]);
if (ui.Version != 1 && ui.Version != 2) if (ui.Version != 1 && ui.Version != 2)
{ {
unsigned int i; unsigned int i;
@ -380,7 +395,11 @@ pex64_dump_xdata (FILE *file, bfd *abfd,
ui.FrameRegister == 0 ? "none" ui.FrameRegister == 0 ? "none"
: pex_regs[(unsigned int) ui.FrameRegister]); : pex_regs[(unsigned int) ui.FrameRegister]);
pex64_xdata_print_uwd_codes (file, abfd, &ui, rf); /* PR 17512: file: 2245-7442-0.004. */
if (ui.CountOfCodes * 2 + ui.rawUnwindCodes + addr >= xdata + xdata_section->size)
fprintf (file, _("Too many unwind codes (%ld)\n"), (long) ui.CountOfCodes);
else
pex64_xdata_print_uwd_codes (file, abfd, &ui, rf);
switch (ui.Flags) switch (ui.Flags)
{ {
@ -573,6 +592,7 @@ pex64_bfd_print_pdata (bfd *abfd, void *vfile)
if (i + PDATA_ROW_SIZE > stop) if (i + PDATA_ROW_SIZE > stop)
break; break;
pex64_get_runtime_function (abfd, &rf, &pdata[i]); pex64_get_runtime_function (abfd, &rf, &pdata[i]);
if (rf.rva_BeginAddress == 0 && rf.rva_EndAddress == 0 if (rf.rva_BeginAddress == 0 && rf.rva_EndAddress == 0
@ -642,6 +662,7 @@ pex64_bfd_print_pdata (bfd *abfd, void *vfile)
identical pointers in the array; advance past all of them. */ identical pointers in the array; advance past all of them. */
while (p[0] <= rf.rva_UnwindData) while (p[0] <= rf.rva_UnwindData)
++p; ++p;
if (p[0] == ~((bfd_vma) 0)) if (p[0] == ~((bfd_vma) 0))
p = NULL; p = NULL;

21
bfd/versados.c
View file

@ -430,7 +430,8 @@ process_otr (bfd *abfd, struct ext_otr *otr, int pass)
else else
{ {
need_contents = 1; need_contents = 1;
if (dst_idx < esdid->section->size)
if (esdid->section && dst_idx < esdid->section->size)
if (pass == 2) if (pass == 2)
{ {
/* Absolute code, comes in 16 bit lumps. */ /* Absolute code, comes in 16 bit lumps. */
@ -445,8 +446,15 @@ process_otr (bfd *abfd, struct ext_otr *otr, int pass)
if (!contents && need_contents) if (!contents && need_contents)
{ {
bfd_size_type size = esdid->section->size; if (esdid->section)
esdid->contents = bfd_alloc (abfd, size); {
bfd_size_type size;
size = esdid->section->size;
esdid->contents = bfd_alloc (abfd, size);
}
else
esdid->contents = NULL;
} }
} }
@ -585,6 +593,13 @@ versados_object_p (bfd *abfd)
return NULL; return NULL;
} }
/* PR 17512: file: 726-2128-0.004. */
if (len < 13)
{
bfd_set_error (bfd_error_wrong_format);
return NULL;
}
if (bfd_bread (&ext.type, (bfd_size_type) len, abfd) != len) if (bfd_bread (&ext.type, (bfd_size_type) len, abfd) != len)
{ {
if (bfd_get_error () != bfd_error_system_call) if (bfd_get_error () != bfd_error_system_call)

15
bfd/vms-alpha.c
View file

@ -364,9 +364,9 @@ struct vms_section_data_struct
((struct vms_section_data_struct *)sec->used_by_bfd) ((struct vms_section_data_struct *)sec->used_by_bfd)
/* To be called from the debugger. */ /* To be called from the debugger. */
struct vms_private_data_struct *bfd_vms_get_data (bfd *abfd); struct vms_private_data_struct *bfd_vms_get_data (bfd *);
static int vms_get_remaining_object_record (bfd *abfd, int read_so_far); static int vms_get_remaining_object_record (bfd *, unsigned int);
static bfd_boolean _bfd_vms_slurp_object_records (bfd * abfd); static bfd_boolean _bfd_vms_slurp_object_records (bfd * abfd);
static void alpha_vms_add_fixup_lp (struct bfd_link_info *, bfd *, bfd *); static void alpha_vms_add_fixup_lp (struct bfd_link_info *, bfd *, bfd *);
static void alpha_vms_add_fixup_ca (struct bfd_link_info *, bfd *, bfd *); static void alpha_vms_add_fixup_ca (struct bfd_link_info *, bfd *, bfd *);
@ -374,8 +374,8 @@ static void alpha_vms_add_fixup_qr (struct bfd_link_info *, bfd *, bfd *,
bfd_vma); bfd_vma);
static void alpha_vms_add_fixup_lr (struct bfd_link_info *, unsigned int, static void alpha_vms_add_fixup_lr (struct bfd_link_info *, unsigned int,
bfd_vma); bfd_vma);
static void alpha_vms_add_lw_reloc (struct bfd_link_info *info); static void alpha_vms_add_lw_reloc (struct bfd_link_info *);
static void alpha_vms_add_qw_reloc (struct bfd_link_info *info); static void alpha_vms_add_qw_reloc (struct bfd_link_info *);
struct vector_type struct vector_type
{ {
@ -788,7 +788,7 @@ _bfd_vms_get_object_record (bfd *abfd)
Return the size of the record or 0 on failure. */ Return the size of the record or 0 on failure. */
static int static int
vms_get_remaining_object_record (bfd *abfd, int read_so_far) vms_get_remaining_object_record (bfd *abfd, unsigned int read_so_far)
{ {
unsigned int to_read; unsigned int to_read;
@ -824,7 +824,10 @@ vms_get_remaining_object_record (bfd *abfd, int read_so_far)
return 0; return 0;
PRIV (recrd.buf_size) = to_read; PRIV (recrd.buf_size) = to_read;
} }
/* PR 17512: file: 025-1974-0.004. */
else if (to_read <= read_so_far)
return 0;
/* Read the remaining record. */ /* Read the remaining record. */
to_read -= read_so_far; to_read -= read_so_far;

7
binutils/ChangeLog
View file

@ -1,3 +1,10 @@
2014-11-21 Nick Clifton <nickc@redhat.com>
PR binutils/17512
* dwarf.c (get_encoded_value): Check for an encoded size of 0.
(display_debug_lines_raw): Check for an invalid line range value.
(display_debug_frames): Check for corrupt augmentation data.
2014-11-21 Nick Clifton <nickc@redhat.com> 2014-11-21 Nick Clifton <nickc@redhat.com>
PR binutils/17531 PR binutils/17531

24
binutils/dwarf.c
View file

@ -142,6 +142,14 @@ get_encoded_value (unsigned char **pdata,
return 0; return 0;
} }
/* PR 17512: file: 1085-5603-0.004. */
if (size == 0)
{
warn (_("Encoded size of 0 is too small to read\n"));
* pdata = end;
return 0;
}
if (encoding & DW_EH_PE_signed) if (encoding & DW_EH_PE_signed)
val = byte_get_signed (data, size); val = byte_get_signed (data, size);
else else
@ -2786,6 +2794,13 @@ display_debug_lines_raw (struct dwarf_section *section,
printf (_(" Line Range: %d\n"), linfo.li_line_range); printf (_(" Line Range: %d\n"), linfo.li_line_range);
printf (_(" Opcode Base: %d\n"), linfo.li_opcode_base); printf (_(" Opcode Base: %d\n"), linfo.li_opcode_base);
/* PR 17512: file: 1665-6428-0.004. */
if (linfo.li_line_range == 0)
{
warn (_("Line range of 0 is invalid, using 1 instead\n"));
linfo.li_line_range = 1;
}
reset_state_machine (linfo.li_default_is_stmt); reset_state_machine (linfo.li_default_is_stmt);
/* Display the contents of the Opcodes table. */ /* Display the contents of the Opcodes table. */
@ -5697,6 +5712,15 @@ display_debug_frames (struct dwarf_section *section,
augmentation_data_len = LEB (); augmentation_data_len = LEB ();
augmentation_data = start; augmentation_data = start;
start += augmentation_data_len; start += augmentation_data_len;
/* PR 17512: file: 722-8446-0.004. */
if (start >= end)
{
warn (_("Corrupt augmentation data length: %lx\n"),
augmentation_data_len);
start = end;
augmentation_data = NULL;
augmentation_data_len = 0;
}
} }
printf ("\n%08lx %s %s FDE cie=%08lx pc=", printf ("\n%08lx %s %s FDE cie=%08lx pc=",