diff options
| author | Nick Clifton <nickc@redhat.com> | 2017-09-10 10:26:33 +0100 |
|---|---|---|
| committer | Nick Clifton <nickc@redhat.com> | 2017-09-10 10:26:33 +0100 |
| commit | 4c730770f07e4b5da5ab0a7654056cc9532b967d (patch) | |
| tree | f3547e563164766498b358c5cd84b4cd52287a87 | |
| parent | 38d47c2247aea860c41aa4bdddc4bed34e378731 (diff) | |
| download | binutils-gdb-4c730770f07e4b5da5ab0a7654056cc9532b967d.tar.gz | |
Import fix from mainline that fixes buffer overrun errors when parsing corrupt DWARF debug information string sections.
PR 22047
* dwarf2.c (read_section): If necessary add a terminating NUL byte
to dwarf string sections.
| -rw-r--r-- | bfd/ChangeLog | 8 | ||||
| -rw-r--r-- | bfd/dwarf2.c | 23 |
2 files changed, 31 insertions, 0 deletions
diff --git a/bfd/ChangeLog b/bfd/ChangeLog index 708a4bf8f76..ed97efc83fc 100644 --- a/bfd/ChangeLog +++ b/bfd/ChangeLog @@ -1,3 +1,11 @@ +2017-09-10 Nick Clifton <nickc@redhat.com> + + Import from mainline: + + PR 22047 + * dwarf2.c (read_section): If necessary add a terminating NUL byte + to dwarf string sections. + 2017-09-10 Alan Modra <amodra@gmail.com> * elf64-ppp.c (plt_stub_pad): Handle positive and negative diff --git a/bfd/dwarf2.c b/bfd/dwarf2.c index 877962783b3..3cb2c347c8b 100644 --- a/bfd/dwarf2.c +++ b/bfd/dwarf2.c @@ -566,6 +566,29 @@ read_section (bfd * abfd, 0, *section_size)) return FALSE; } + + /* Paranoia - if we are reading in a string section, make sure that it + is NUL terminated. This is to prevent string functions from running + off the end of the buffer. Note - knowing the size of the buffer is + not enough as some functions, eg strchr, do not have a range limited + equivalent. + + FIXME: We ought to use a flag in the dwarf_debug_sections[] table to + determine the nature of a debug section, rather than checking the + section name as we do here. */ + if (*section_size > 0 + && (*section_buffer)[*section_size - 1] != 0 + && (strstr (section_name, "_str") || strstr (section_name, "names"))) + { + bfd_byte * new_buffer = malloc (*section_size + 1); + + _bfd_error_handler (_("warning: dwarf string section '%s' is not NUL terminated"), + section_name); + memcpy (new_buffer, *section_buffer, *section_size); + new_buffer[*section_size] = 0; + free (*section_buffer); + *section_buffer = new_buffer; + } } /* It is possible to get a bad value for the offset into the section |