This patch fixes some illegal memory accesses triggered by running coffdump on fuzzed...
authorNick Clifton <nickc@redhat.com>
Wed, 21 Jan 2015 10:33:19 +0000 (10:33 +0000)
committerNick Clifton <nickc@redhat.com>
Wed, 21 Jan 2015 10:33:19 +0000 (10:33 +0000)
PR binutils/17512
* coffgrok.c (do_type): Check that computed ref exists.
(doit): Add range checks when computing section for scope.

binutils/ChangeLog
binutils/coffgrok.c

index 372230ee86f71e798edf1abc2065ec6db9fc20d3..d25b8b6c6dd6c27014d1cae0727d97762661ddce 100644 (file)
@@ -1,3 +1,9 @@
+2015-01-21  Nick Clifton  <nickc@redhat.com>
+
+       PR binutils/17512
+       * coffgrok.c (do_type): Check that computed ref exists.
+       (doit): Add range checks when computing section for scope.
+
 2015-01-12  H.J. Lu  <hongjiu.lu@intel.com>
 
        * dwarf.c (process_debug_info): Properly check abbrev size.
index a4c9d544948c528ce87ccffa420ef887d14ca680..5dc9558078562b39b5d6e4da2d71c00cd7ebc79b 100644 (file)
@@ -476,7 +476,11 @@ do_type (unsigned int i)
          /* Referring to a enum defined elsewhere.  */
          res->type = coff_enumref_type;
          res->u.aenumref.ref = tindex[idx];
-         res->size = res->u.aenumref.ref->type->size;
+         /* PR 17512: file: b85b67e8.  */
+         if (res->u.aenumref.ref)
+           res->size = res->u.aenumref.ref->type->size;
+         else
+           res->size = 0;
        }
       else
        {
@@ -740,7 +744,11 @@ doit (void)
                /* PR 17512: file: 0ef7fbaf.  */
                if (last_function_type)
                  last_function_type->u.function.code = top_scope;
-               top_scope->sec = ofile->sections + sym->n_scnum;
+               /* PR 17512: file: 22908266.  */
+               if (sym->n_scnum < ofile->nsections && sym->n_scnum >= 0)
+                 top_scope->sec = ofile->sections + sym->n_scnum;
+               else
+                 top_scope->sec = NULL;
                top_scope->offset = sym->n_value;
              }
            else
@@ -750,7 +758,6 @@ doit (void)
                  fatal (_("Function start encountered without a top level scope."));
                top_scope->size = sym->n_value - top_scope->offset + 1;
                pop_scope ();
-
              }
            i += sym->n_numaux + 1;
          }
@@ -764,7 +771,11 @@ doit (void)
              {
                /* Block start.  */
                push_scope (1);
-               top_scope->sec = ofile->sections + sym->n_scnum;
+               /* PR 17512: file: af7e8e83.  */
+               if (sym->n_scnum < ofile->nsections && sym->n_scnum >= 0)
+                 top_scope->sec = ofile->sections + sym->n_scnum;
+               else
+                 top_scope->sec = NULL;
                top_scope->offset = sym->n_value;
              }
            else