From b24cc4146e4de9f3b66e2e2fb8379db46eff89c9 Mon Sep 17 00:00:00 2001 From: Alan Modra Date: Fri, 1 Mar 2019 09:28:47 +1030 Subject: [PATCH] PR24272, out-of-bounds read in pex64_xdata_print_uwd_codes The fix here is to use an unsigned comparison for if (a->NumberOfRvaAndSizes > IMAGE_NUMBEROF_DIRECTORY_ENTRIES) include/ PR 24272 * coff/internal.h (struct internal_extra_pe_aouthdr): Change type of SizeOfCode, SizeOfInitializedData, and SizeOfUninitializedData to bfd_vma. Change type of SectionAlignment, FileAlignment, Reserved1, SizeOfImage, SizeOfHeaders, CheckSum, LoaderFlags, and NumberOfRvaAndSizes to uint32_t. bfd/ PR 24272 * peXXigen.c (_bfd_XXi_swap_aouthdr_in): Use unsigned index. (_bfd_XX_print_private_bfd_data_common): Adjust for type changes. --- bfd/peXXigen.c | 35 +++++++++++++++++----------------- include/coff/internal.h | 42 ++++++++++++++++++++--------------------- 2 files changed, 38 insertions(+), 39 deletions(-) diff --git a/bfd/peXXigen.c b/bfd/peXXigen.c index e6d1425472d..77fb4933e73 100644 --- a/bfd/peXXigen.c +++ b/bfd/peXXigen.c @@ -522,15 +522,15 @@ _bfd_XXi_swap_aouthdr_in (bfd * abfd, a->NumberOfRvaAndSizes = H_GET_32 (abfd, src->NumberOfRvaAndSizes); { - int idx; + unsigned idx; /* PR 17512: Corrupt PE binaries can cause seg-faults. */ if (a->NumberOfRvaAndSizes > IMAGE_NUMBEROF_DIRECTORY_ENTRIES) { /* xgettext:c-format */ _bfd_error_handler - (_("%pB: aout header specifies an invalid number of data-directory entries: %ld"), - abfd, a->NumberOfRvaAndSizes); + (_("%pB: aout header specifies an invalid number of" + " data-directory entries: %u"), abfd, a->NumberOfRvaAndSizes); bfd_set_error (bfd_error_bad_value); /* Paranoia: If the number is corrupt, then assume that the @@ -2806,12 +2806,13 @@ _bfd_XX_print_private_bfd_data_common (bfd * abfd, void * vfile) fprintf (file, "\t(%s)",name); fprintf (file, "\nMajorLinkerVersion\t%d\n", i->MajorLinkerVersion); fprintf (file, "MinorLinkerVersion\t%d\n", i->MinorLinkerVersion); - fprintf (file, "SizeOfCode\t\t%08lx\n", (unsigned long) i->SizeOfCode); - fprintf (file, "SizeOfInitializedData\t%08lx\n", - (unsigned long) i->SizeOfInitializedData); - fprintf (file, "SizeOfUninitializedData\t%08lx\n", - (unsigned long) i->SizeOfUninitializedData); - fprintf (file, "AddressOfEntryPoint\t"); + fprintf (file, "SizeOfCode\t\t"); + bfd_fprintf_vma (abfd, file, i->SizeOfCode); + fprintf (file, "\nSizeOfInitializedData\t"); + bfd_fprintf_vma (abfd, file, i->SizeOfInitializedData); + fprintf (file, "\nSizeOfUninitializedData\t"); + bfd_fprintf_vma (abfd, file, i->SizeOfUninitializedData); + fprintf (file, "\nAddressOfEntryPoint\t"); bfd_fprintf_vma (abfd, file, i->AddressOfEntryPoint); fprintf (file, "\nBaseOfCode\t\t"); bfd_fprintf_vma (abfd, file, i->BaseOfCode); @@ -2823,20 +2824,18 @@ _bfd_XX_print_private_bfd_data_common (bfd * abfd, void * vfile) fprintf (file, "\nImageBase\t\t"); bfd_fprintf_vma (abfd, file, i->ImageBase); - fprintf (file, "\nSectionAlignment\t"); - bfd_fprintf_vma (abfd, file, i->SectionAlignment); - fprintf (file, "\nFileAlignment\t\t"); - bfd_fprintf_vma (abfd, file, i->FileAlignment); - fprintf (file, "\nMajorOSystemVersion\t%d\n", i->MajorOperatingSystemVersion); + fprintf (file, "\nSectionAlignment\t%08x\n", i->SectionAlignment); + fprintf (file, "FileAlignment\t\t%08x\n", i->FileAlignment); + fprintf (file, "MajorOSystemVersion\t%d\n", i->MajorOperatingSystemVersion); fprintf (file, "MinorOSystemVersion\t%d\n", i->MinorOperatingSystemVersion); fprintf (file, "MajorImageVersion\t%d\n", i->MajorImageVersion); fprintf (file, "MinorImageVersion\t%d\n", i->MinorImageVersion); fprintf (file, "MajorSubsystemVersion\t%d\n", i->MajorSubsystemVersion); fprintf (file, "MinorSubsystemVersion\t%d\n", i->MinorSubsystemVersion); - fprintf (file, "Win32Version\t\t%08lx\n", (unsigned long) i->Reserved1); - fprintf (file, "SizeOfImage\t\t%08lx\n", (unsigned long) i->SizeOfImage); - fprintf (file, "SizeOfHeaders\t\t%08lx\n", (unsigned long) i->SizeOfHeaders); - fprintf (file, "CheckSum\t\t%08lx\n", (unsigned long) i->CheckSum); + fprintf (file, "Win32Version\t\t%08x\n", i->Reserved1); + fprintf (file, "SizeOfImage\t\t%08x\n", i->SizeOfImage); + fprintf (file, "SizeOfHeaders\t\t%08x\n", i->SizeOfHeaders); + fprintf (file, "CheckSum\t\t%08x\n", i->CheckSum); switch (i->Subsystem) { diff --git a/include/coff/internal.h b/include/coff/internal.h index 9b557694218..c87dc8abaf7 100644 --- a/include/coff/internal.h +++ b/include/coff/internal.h @@ -197,11 +197,11 @@ struct internal_extra_pe_aouthdr /* Linker minor version number. */ char MinorLinkerVersion; /* Total size of all code sections. */ - long SizeOfCode; + bfd_vma SizeOfCode; /* Total size of all initialized data sections. */ - long SizeOfInitializedData; + bfd_vma SizeOfInitializedData; /* Total size of all uninitialized data sections. */ - long SizeOfUninitializedData; + bfd_vma SizeOfUninitializedData; /* Address of entry point relative to image base. */ bfd_vma AddressOfEntryPoint; /* Address of the first code section relative to image base. */ @@ -211,21 +211,21 @@ struct internal_extra_pe_aouthdr /* PE stuff */ bfd_vma ImageBase; /* Address of specific location in memory that - file is located, NT default 0x10000. */ - - bfd_vma SectionAlignment; /* Section alignment default 0x1000. */ - bfd_vma FileAlignment; /* File alignment default 0x200. */ - short MajorOperatingSystemVersion; /* Minimum version of the operating. */ - short MinorOperatingSystemVersion; /* System req'd for exe, default to 1. */ - short MajorImageVersion; /* User defineable field to store version of */ - short MinorImageVersion; /* exe or dll being created, default to 0. */ - short MajorSubsystemVersion; /* Minimum subsystem version required to */ - short MinorSubsystemVersion; /* run exe; default to 3.1. */ - long Reserved1; /* Seems to be 0. */ - long SizeOfImage; /* Size of memory to allocate for prog. */ - long SizeOfHeaders; /* Size of PE header and section table. */ - long CheckSum; /* Set to 0. */ - short Subsystem; + file is located, NT default 0x10000. */ + + uint32_t SectionAlignment; /* Section alignment default 0x1000. */ + uint32_t FileAlignment; /* File alignment default 0x200. */ + short MajorOperatingSystemVersion; /* Minimum version of the operating. */ + short MinorOperatingSystemVersion; /* System req'd for exe, default 1. */ + short MajorImageVersion; /* User defineable field to store version of */ + short MinorImageVersion; /* exe or dll being created, default to 0. */ + short MajorSubsystemVersion; /* Minimum subsystem version required to */ + short MinorSubsystemVersion; /* run exe; default to 3.1. */ + uint32_t Reserved1; /* Seems to be 0. */ + uint32_t SizeOfImage; /* Size of memory to allocate for prog. */ + uint32_t SizeOfHeaders; /* Size of PE header and section table. */ + uint32_t CheckSum; /* Set to 0. */ + short Subsystem; /* Type of subsystem exe uses for user interface, possible values: @@ -237,11 +237,11 @@ struct internal_extra_pe_aouthdr unsigned short DllCharacteristics; /* flags for DLL init. */ bfd_vma SizeOfStackReserve; /* Amount of memory to reserve. */ bfd_vma SizeOfStackCommit; /* Amount of memory initially committed for - initial thread's stack, default is 0x1000. */ + initial thread's stack, default 0x1000. */ bfd_vma SizeOfHeapReserve; /* Amount of virtual memory to reserve and */ bfd_vma SizeOfHeapCommit; /* commit, don't know what to defaut it to. */ - long LoaderFlags; /* Can probably set to 0. */ - long NumberOfRvaAndSizes; /* Number of entries in next entry, 16. */ + uint32_t LoaderFlags; /* Can probably set to 0. */ + uint32_t NumberOfRvaAndSizes; /* Number of entries in next entry, 16. */ IMAGE_DATA_DIRECTORY DataDirectory[IMAGE_NUMBEROF_DIRECTORY_ENTRIES]; }; -- 2.30.2