From 183445093ebd6be285e29f75b877e62a723918c6 Mon Sep 17 00:00:00 2001 From: Nick Clifton Date: Fri, 25 Jan 2019 13:16:06 +0000 Subject: [PATCH] Prevent a potential illegal memory access in readelf when parsing a note with a zero name size. PR 24131 * readelf.c (process_notes_at): Prevent an illegal memory access when the note's namesize is zero. (decode_tic6x_unwind_bytecode): Add code to handle the case where no registers are specified in a frame pop instruction. --- binutils/ChangeLog | 8 ++++++++ binutils/readelf.c | 33 ++++++++++++++++++++------------- 2 files changed, 28 insertions(+), 13 deletions(-) diff --git a/binutils/ChangeLog b/binutils/ChangeLog index 7653019a37c..a5f9bdef48d 100644 --- a/binutils/ChangeLog +++ b/binutils/ChangeLog @@ -1,3 +1,11 @@ +2019-01-25 Nick Clifton + + PR 24131 + * readelf.c (process_notes_at): Prevent an illegal memory access + when the note's namesize is zero. + (decode_tic6x_unwind_bytecode): Add code to handle the case where + no registers are specified in a frame pop instruction. + 2019-01-25 Nick Clifton * po/bg.po: Updated Bulgarian translation. diff --git a/binutils/readelf.c b/binutils/readelf.c index b13eb6a43ba..77acc6a7b42 100644 --- a/binutils/readelf.c +++ b/binutils/readelf.c @@ -8852,21 +8852,28 @@ decode_tic6x_unwind_bytecode (Filedata * filedata, } printf (_("pop frame {")); - reg = nregs - 1; - for (i = i * 2; i > 0; i--) + if (nregs == 0) { - if (regpos[reg].offset == i - 1) + printf (_("*corrupt* - no registers specified")); + } + else + { + reg = nregs - 1; + for (i = i * 2; i > 0; i--) { - name = tic6x_unwind_regnames[regpos[reg].reg]; - if (reg > 0) - reg--; - } - else - name = _("[pad]"); + if (regpos[reg].offset == i - 1) + { + name = tic6x_unwind_regnames[regpos[reg].reg]; + if (reg > 0) + reg--; + } + else + name = _("[pad]"); - fputs (name, stdout); - if (i > 1) - printf (", "); + fputs (name, stdout); + if (i > 1) + printf (", "); + } } printf ("}"); @@ -18741,7 +18748,7 @@ process_notes_at (Filedata * filedata, one version of Linux (RedHat 6.0) generates corefiles that don't comply with the ELF spec by failing to include the null byte in namesz. */ - if (inote.namedata[inote.namesz - 1] != '\0') + if (inote.namesz > 0 && inote.namedata[inote.namesz - 1] != '\0') { if ((size_t) (inote.descdata - inote.namedata) == inote.namesz) { -- 2.30.2