Fix memory access violations triggered by running sysdump on fuzzed binaries.

PR binutils/17512
	* sysdump.c (getINT): Fail if reading off the end of the buffer.
	Replace call to abort with a call to fatal.
	(getCHARS): Prevetn reading off the end of the buffer.
This commit is contained in:
Nick Clifton 2015-01-08 13:52:42 +00:00
parent 2279a12a44
commit 848cde35d6
2 changed files with 16 additions and 2 deletions

View file

@ -1,6 +1,10 @@
2015-01-08 Nick Clifton <nickc@redhat.com>
PR binutils/17512
* sysdump.c (getINT): Fail if reading off the end of the buffer.
Replace call to abort with a call to fatal.
(getCHARS): Prevetn reading off the end of the buffer.
* nlmconv.c (i386_mangle_relocs): Skip relocs without an
associated symbol.
(powerpc_mangle_relocs): Skip unrecognised relocs. Check address

View file

@ -66,6 +66,9 @@ getCHARS (unsigned char *ptr, int *idx, int size, int max)
if (b == 0)
{
/* PR 17512: file: 13caced2. */
if (oc >= max)
return _("*corrupt*");
/* Got to work out the length of the string from self. */
b = ptr[oc++];
(*idx) += 8;
@ -166,7 +169,12 @@ getINT (unsigned char *ptr, int *idx, int size, int max)
int byte = *idx / 8;
if (byte >= max)
return 0;
{
/* PR 17512: file: id:000001,src:000002,op:flip1,pos:45. */
/* Prevent infinite loops re-reading beyond the end of the buffer. */
fatal (_("ICE: getINT: Out of buffer space"));
return 0;
}
if (size == -2)
size = addrsize;
@ -188,7 +196,7 @@ getINT (unsigned char *ptr, int *idx, int size, int max)
n = (ptr[byte + 0] << 24) + (ptr[byte + 1] << 16) + (ptr[byte + 2] << 8) + (ptr[byte + 3]);
break;
default:
abort ();
fatal (_("Unsupported read size: %d"), size);
}
*idx += size * 8;
@ -615,6 +623,8 @@ module (void)
do
{
c = getc (file);
if (c == EOF)
break;
ungetc (c, file);
c &= 0x7f;