From 5b7d62376fc942a803d174789fe4464b26f09a02 Mon Sep 17 00:00:00 2001 From: Nick Clifton Date: Wed, 21 Jan 2015 10:33:19 +0000 Subject: [PATCH] This patch fixes some illegal memory accesses triggered by running coffdump on fuzzed binaries. PR binutils/17512 * coffgrok.c (do_type): Check that computed ref exists. (doit): Add range checks when computing section for scope. --- binutils/ChangeLog | 6 ++++++ binutils/coffgrok.c | 19 +++++++++++++++---- 2 files changed, 21 insertions(+), 4 deletions(-) diff --git a/binutils/ChangeLog b/binutils/ChangeLog index 372230ee86f..d25b8b6c6dd 100644 --- a/binutils/ChangeLog +++ b/binutils/ChangeLog @@ -1,3 +1,9 @@ +2015-01-21 Nick Clifton + + PR binutils/17512 + * coffgrok.c (do_type): Check that computed ref exists. + (doit): Add range checks when computing section for scope. + 2015-01-12 H.J. Lu * dwarf.c (process_debug_info): Properly check abbrev size. diff --git a/binutils/coffgrok.c b/binutils/coffgrok.c index a4c9d544948..5dc95580785 100644 --- a/binutils/coffgrok.c +++ b/binutils/coffgrok.c @@ -476,7 +476,11 @@ do_type (unsigned int i) /* Referring to a enum defined elsewhere. */ res->type = coff_enumref_type; res->u.aenumref.ref = tindex[idx]; - res->size = res->u.aenumref.ref->type->size; + /* PR 17512: file: b85b67e8. */ + if (res->u.aenumref.ref) + res->size = res->u.aenumref.ref->type->size; + else + res->size = 0; } else { @@ -740,7 +744,11 @@ doit (void) /* PR 17512: file: 0ef7fbaf. */ if (last_function_type) last_function_type->u.function.code = top_scope; - top_scope->sec = ofile->sections + sym->n_scnum; + /* PR 17512: file: 22908266. */ + if (sym->n_scnum < ofile->nsections && sym->n_scnum >= 0) + top_scope->sec = ofile->sections + sym->n_scnum; + else + top_scope->sec = NULL; top_scope->offset = sym->n_value; } else @@ -750,7 +758,6 @@ doit (void) fatal (_("Function start encountered without a top level scope.")); top_scope->size = sym->n_value - top_scope->offset + 1; pop_scope (); - } i += sym->n_numaux + 1; } @@ -764,7 +771,11 @@ doit (void) { /* Block start. */ push_scope (1); - top_scope->sec = ofile->sections + sym->n_scnum; + /* PR 17512: file: af7e8e83. */ + if (sym->n_scnum < ofile->nsections && sym->n_scnum >= 0) + top_scope->sec = ofile->sections + sym->n_scnum; + else + top_scope->sec = NULL; top_scope->offset = sym->n_value; } else -- 2.30.2