From 848cde35d61874521ad6c88a50f983d5ee7d2307 Mon Sep 17 00:00:00 2001 From: Nick Clifton Date: Thu, 8 Jan 2015 13:52:42 +0000 Subject: [PATCH] Fix memory access violations triggered by running sysdump on fuzzed binaries. PR binutils/17512 * sysdump.c (getINT): Fail if reading off the end of the buffer. Replace call to abort with a call to fatal. (getCHARS): Prevetn reading off the end of the buffer. --- binutils/ChangeLog | 4 ++++ binutils/sysdump.c | 14 ++++++++++++-- 2 files changed, 16 insertions(+), 2 deletions(-) diff --git a/binutils/ChangeLog b/binutils/ChangeLog index cfad0f7642..d6c3070eb6 100644 --- a/binutils/ChangeLog +++ b/binutils/ChangeLog @@ -1,6 +1,10 @@ 2015-01-08 Nick Clifton PR binutils/17512 + * sysdump.c (getINT): Fail if reading off the end of the buffer. + Replace call to abort with a call to fatal. + (getCHARS): Prevetn reading off the end of the buffer. + * nlmconv.c (i386_mangle_relocs): Skip relocs without an associated symbol. (powerpc_mangle_relocs): Skip unrecognised relocs. Check address diff --git a/binutils/sysdump.c b/binutils/sysdump.c index 37dd162218..ac350e1513 100644 --- a/binutils/sysdump.c +++ b/binutils/sysdump.c @@ -66,6 +66,9 @@ getCHARS (unsigned char *ptr, int *idx, int size, int max) if (b == 0) { + /* PR 17512: file: 13caced2. */ + if (oc >= max) + return _("*corrupt*"); /* Got to work out the length of the string from self. */ b = ptr[oc++]; (*idx) += 8; @@ -166,7 +169,12 @@ getINT (unsigned char *ptr, int *idx, int size, int max) int byte = *idx / 8; if (byte >= max) - return 0; + { + /* PR 17512: file: id:000001,src:000002,op:flip1,pos:45. */ + /* Prevent infinite loops re-reading beyond the end of the buffer. */ + fatal (_("ICE: getINT: Out of buffer space")); + return 0; + } if (size == -2) size = addrsize; @@ -188,7 +196,7 @@ getINT (unsigned char *ptr, int *idx, int size, int max) n = (ptr[byte + 0] << 24) + (ptr[byte + 1] << 16) + (ptr[byte + 2] << 8) + (ptr[byte + 3]); break; default: - abort (); + fatal (_("Unsupported read size: %d"), size); } *idx += size * 8; @@ -615,6 +623,8 @@ module (void) do { c = getc (file); + if (c == EOF) + break; ungetc (c, file); c &= 0x7f;