From 5d921cbd81554867007e903b634acc6bc8281f9f Mon Sep 17 00:00:00 2001 From: Nick Clifton Date: Fri, 21 Nov 2014 13:37:39 +0000 Subject: [PATCH] Resolve more problems with readelf uncovered by fuzzing binary files. PR binutils/17531 * readelf.c (process_version_sections): Prevent an infinite loop processing corrupt version need data. (process_corefile_note_segment): Handle corrupt notes. --- binutils/ChangeLog | 7 +++++++ binutils/readelf.c | 8 +++++++- 2 files changed, 14 insertions(+), 1 deletion(-) diff --git a/binutils/ChangeLog b/binutils/ChangeLog index 8e3976ac44e..cc4590af376 100644 --- a/binutils/ChangeLog +++ b/binutils/ChangeLog @@ -1,3 +1,10 @@ +2014-11-21 Nick Clifton + + PR binutils/17531 + * readelf.c (process_version_sections): Prevent an infinite loop + processing corrupt version need data. + (process_corefile_note_segment): Handle corrupt notes. + 2014-11-21 Terry Guo * readelf.c (arm_attr_tag_FP_arch): Extended to support FPv5. diff --git a/binutils/readelf.c b/binutils/readelf.c index b7269d163e7..e8ce2793404 100644 --- a/binutils/readelf.c +++ b/binutils/readelf.c @@ -9133,6 +9133,10 @@ process_version_sections (FILE * file) if (j < ent.vd_cnt) printf (_(" Version def aux past end of section\n")); + /* PR 17531: file: id:000001,src:000172+005151,op:splice,rep:2. */ + if (idx + ent.vd_next <= idx) + break; + idx += ent.vd_next; } @@ -14686,6 +14690,9 @@ process_corefile_note_segment (FILE * file, bfd_vma offset, bfd_vma length) if (inote.descdata < (char *) external + min_notesz || next < (char *) external + min_notesz + /* PR binutils/17531: file: id:000000,sig:11,src:006986,op:havoc,rep:4. */ + || inote.namedata + inote.namesz < inote.namedata + || inote.descdata + inote.descsz < inote.descdata || data_remaining < (size_t)(next - (char *) external)) { warn (_("note with invalid namesz and/or descsz found at offset 0x%lx\n"), @@ -14704,7 +14711,6 @@ process_corefile_note_segment (FILE * file, bfd_vma offset, bfd_vma length) if (inote.namedata[inote.namesz - 1] != '\0') { temp = (char *) malloc (inote.namesz + 1); - if (temp == NULL) { error (_("Out of memory allocating space for inote name\n")); -- 2.30.2