From 0eff716535f3e8f501d6b438f7f796b70a0b9f98 Mon Sep 17 00:00:00 2001 From: Nick Clifton Date: Tue, 18 Nov 2014 10:07:11 +0000 Subject: [PATCH] Fix memort access problems exposed by fuzzed binaries. PR binutils/17531 * readelf.c (get_unwind_section_word): Skip reloc processing if there are no relocs associated with the section. (decode_tic6x_unwind_bytecode): Warn and return if the stack pointer adjustment falls off the end of the buffer. --- binutils/ChangeLog | 8 ++++++++ binutils/readelf.c | 16 +++++++++++++++- 2 files changed, 23 insertions(+), 1 deletion(-) diff --git a/binutils/ChangeLog b/binutils/ChangeLog index bba4c98220e..3b82059fa74 100644 --- a/binutils/ChangeLog +++ b/binutils/ChangeLog @@ -1,3 +1,11 @@ +2014-11-18 Nick Clifton + + PR binutils/17531 + * readelf.c (get_unwind_section_word): Skip reloc processing if + there are no relocs associated with the section. + (decode_tic6x_unwind_bytecode): Warn and return if the stack + pointer adjustment falls off the end of the buffer. + 2014-11-14 Nick Clifton PR binutils/17512 diff --git a/binutils/readelf.c b/binutils/readelf.c index 964dfc63c71..6cead836a69 100644 --- a/binutils/readelf.c +++ b/binutils/readelf.c @@ -7089,6 +7089,13 @@ get_unwind_section_word (struct arm_unw_aux_info * aux, /* Get the word at the required offset. */ word = byte_get (arm_sec->data + word_offset, 4); + /* PR 17531: file: id:000001,src:001266+003044,op:splice,rep:128. */ + if (arm_sec->rela == NULL) + { + * wordp = word; + return TRUE; + } + /* Look through the relocs to find the one that applies to the provided offset. */ wrapped = FALSE; for (rp = arm_sec->next_rela; rp != arm_sec->rela + arm_sec->nrelas; rp++) @@ -7583,7 +7590,14 @@ decode_tic6x_unwind_bytecode (struct arm_unw_aux_info *aux, if ((buf[i] & 0x80) == 0) break; } - assert (i < sizeof (buf)); + /* PR 17531: file: id:000001,src:001906+004739,op:splice,rep:2. */ + if (i == sizeof (buf)) + { + printf ("\n"); + warn (_("Corrupt stack pointer adjustment detected\n")); + return; + } + offset = read_uleb128 (buf, &len, buf + i + 1); assert (len == i + 1); offset = offset * 8 + 0x408; -- 2.30.2