Fix decoding of Windows resources.
PR binutils/17512 * rescoff.c (read_coff_res_dir): Fix detection of buffer overrun. * resbin.c (bin_to_res_version): Allow for the padded length of a version block to be longer than the recorded length. Skip padding bytes.
This commit is contained in:
parent
ff20cab8a2
commit
4931146e91
3 changed files with 21 additions and 5 deletions
|
@ -1,3 +1,11 @@
|
||||||
|
2016-07-28 Nick Clifton <nickc@redhat.com>
|
||||||
|
|
||||||
|
PR binutils/17512
|
||||||
|
* rescoff.c (read_coff_res_dir): Fix detection of buffer overrun.
|
||||||
|
* resbin.c (bin_to_res_version): Allow for the padded length of a
|
||||||
|
version block to be longer than the recorded length. Skip padding
|
||||||
|
bytes.
|
||||||
|
|
||||||
2016-07-21 H.J. Lu <hongjiu.lu@intel.com>
|
2016-07-21 H.J. Lu <hongjiu.lu@intel.com>
|
||||||
|
|
||||||
* configure: Regenerated.
|
* configure: Regenerated.
|
||||||
|
|
|
@ -961,9 +961,10 @@ bin_to_res_version (windres_bfd *wrbfd, const bfd_byte *data, rc_uint_type lengt
|
||||||
get_version_header (wrbfd, data, length, "VS_VERSION_INFO",
|
get_version_header (wrbfd, data, length, "VS_VERSION_INFO",
|
||||||
(unichar **) NULL, &verlen, &vallen, &type, &off);
|
(unichar **) NULL, &verlen, &vallen, &type, &off);
|
||||||
|
|
||||||
if ((unsigned int) verlen != length)
|
/* PR 17512: The verlen field does not include padding length. */
|
||||||
fatal (_("version length %d does not match resource length %lu"),
|
if (verlen > length)
|
||||||
(int) verlen, (unsigned long) length);
|
fatal (_("version length %lu greater than resource length %lu"),
|
||||||
|
verlen, length);
|
||||||
|
|
||||||
if (type != 0)
|
if (type != 0)
|
||||||
fatal (_("unexpected version type %d"), (int) type);
|
fatal (_("unexpected version type %d"), (int) type);
|
||||||
|
@ -1164,8 +1165,15 @@ bin_to_res_version (windres_bfd *wrbfd, const bfd_byte *data, rc_uint_type lengt
|
||||||
vallen -= 4;
|
vallen -= 4;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
else if (ch == 0)
|
||||||
|
{
|
||||||
|
if (length == 8)
|
||||||
|
/* Padding - skip. */
|
||||||
|
break;
|
||||||
|
fatal (_("nul bytes found in version string"));
|
||||||
|
}
|
||||||
else
|
else
|
||||||
fatal (_("unexpected version string"));
|
fatal (_("unexpected version string character: %x"), ch);
|
||||||
|
|
||||||
vi->next = NULL;
|
vi->next = NULL;
|
||||||
*pp = vi;
|
*pp = vi;
|
||||||
|
|
|
@ -249,7 +249,7 @@ read_coff_res_dir (windres_bfd *wrbfd, const bfd_byte *data,
|
||||||
for (j = 0; j < length; j++)
|
for (j = 0; j < length; j++)
|
||||||
{
|
{
|
||||||
/* PR 17512: file: 05dc4a16. */
|
/* PR 17512: file: 05dc4a16. */
|
||||||
if (length < 0 || ers >= (bfd_byte *) ere || ers + j * 2 + 4 >= (bfd_byte *) ere)
|
if (length < 0 || ers >= flaginfo->data_end || ers + j * 2 + 4 >= flaginfo->data_end)
|
||||||
overrun (flaginfo, _("resource name"));
|
overrun (flaginfo, _("resource name"));
|
||||||
re->id.u.n.name[j] = windres_get_16 (wrbfd, ers + j * 2 + 2, 2);
|
re->id.u.n.name[j] = windres_get_16 (wrbfd, ers + j * 2 + 2, 2);
|
||||||
}
|
}
|
||||||
|
|
Loading…
Reference in a new issue