From 9d9e2a340ba50670f406afa314acaa9a2c34ec64 Mon Sep 17 00:00:00 2001 From: Alan Modra Date: Tue, 18 May 2021 23:39:35 +0930 Subject: [PATCH] PR27879, stack-buffer-overflow on sysdump PR 27879 * sysdump.c (getBARRAY): Sanity check size against max. (getINT): Avoid UB shift left. --- binutils/ChangeLog | 6 ++++++ binutils/sysdump.c | 13 ++++++++----- 2 files changed, 14 insertions(+), 5 deletions(-) diff --git a/binutils/ChangeLog b/binutils/ChangeLog index 3819a42719e..6767729d705 100644 --- a/binutils/ChangeLog +++ b/binutils/ChangeLog @@ -1,3 +1,9 @@ +2021-05-19 Alan Modra + + PR 27879 + * sysdump.c (getBARRAY): Sanity check size against max. + (getINT): Avoid UB shift left. + 2021-05-15 Alan Modra * dwarf.c (process_cu_tu_index): Avoid pointer UB. Use _mul_overflow. diff --git a/binutils/sysdump.c b/binutils/sysdump.c index 8993152bdd6..35796e829a0 100644 --- a/binutils/sysdump.c +++ b/binutils/sysdump.c @@ -131,19 +131,21 @@ fillup (unsigned char *ptr) } static barray -getBARRAY (unsigned char *ptr, int *idx, int dsize ATTRIBUTE_UNUSED, - int max ATTRIBUTE_UNUSED) +getBARRAY (unsigned char *ptr, int *idx, int dsize ATTRIBUTE_UNUSED, int max) { barray res; int i; int byte = *idx / 8; - int size = ptr[byte++]; + int size = 0; + + if (byte < max) + size = ptr[byte++]; res.len = size; res.data = (unsigned char *) xmalloc (size); for (i = 0; i < size; i++) - res.data[i] = ptr[byte++]; + res.data[i] = byte < max ? ptr[byte++] : 0; return res; } @@ -179,7 +181,8 @@ getINT (unsigned char *ptr, int *idx, int size, int max) n = (ptr[byte + 0] << 8) + ptr[byte + 1]; break; case 4: - n = (ptr[byte + 0] << 24) + (ptr[byte + 1] << 16) + (ptr[byte + 2] << 8) + (ptr[byte + 3]); + n = (((unsigned) ptr[byte + 0] << 24) + (ptr[byte + 1] << 16) + + (ptr[byte + 2] << 8) + (ptr[byte + 3])); break; default: fatal (_("Unsupported read size: %d"), size); -- 2.30.2