From bf82069dce1b1a88560e5d7320342c78372b627e Mon Sep 17 00:00:00 2001 From: Nick Clifton Date: Mon, 23 Apr 2018 12:52:42 +0100 Subject: [PATCH] Prevent an illegal memory access in gprof by ensuring that string tables for aout format files are always zero-terminated. PR 23056 * aoutx.h (aout_get_external_symbols): Allocate an extra byte at the end of the string table, and zero it. --- bfd/ChangeLog | 12 ++++++++++++ bfd/aoutx.h | 7 ++++--- 2 files changed, 16 insertions(+), 3 deletions(-) diff --git a/bfd/ChangeLog b/bfd/ChangeLog index 7cc35f36e58..e8b748b5bf1 100644 --- a/bfd/ChangeLog +++ b/bfd/ChangeLog @@ -1,3 +1,9 @@ +2018-04-23 Nick Clifton + + PR 23056 + * aoutx.h (aout_get_external_symbols): Allocate an extra byte at + the end of the string table, and zero it. + 2018-04-23 Alan Modra * elf-linux-core.h (swap_linux_prpsinfo32_ugid32_out): Disable @@ -7,6 +13,12 @@ (swap_linux_prpsinfo64_ugid16_out): Likewise. * elf.c (elfcore_write_prpsinfo): Likewise. +2018-04-23 Nick Clifton + + PR 23056 + * aoutx.h (aout_get_external_symbols): Allocate an extra byte at + the end of the string table, and zero it. + 2018-04-20 Alan Modra PR 22978 diff --git a/bfd/aoutx.h b/bfd/aoutx.h index 7cc95614ee2..023843b0be4 100644 --- a/bfd/aoutx.h +++ b/bfd/aoutx.h @@ -1343,7 +1343,7 @@ aout_get_external_symbols (bfd *abfd) #ifdef USE_MMAP if (stringsize >= BYTES_IN_WORD) { - if (! bfd_get_file_window (abfd, obj_str_filepos (abfd), stringsize, + if (! bfd_get_file_window (abfd, obj_str_filepos (abfd), stringsize + 1, &obj_aout_string_window (abfd), TRUE)) return FALSE; strings = (char *) obj_aout_string_window (abfd).data; @@ -1351,7 +1351,7 @@ aout_get_external_symbols (bfd *abfd) else #endif { - strings = (char *) bfd_malloc (stringsize); + strings = (char *) bfd_malloc (stringsize + 1); if (strings == NULL) return FALSE; @@ -1370,7 +1370,8 @@ aout_get_external_symbols (bfd *abfd) /* Ensure that a zero index yields an empty string. */ strings[0] = '\0'; - strings[stringsize - 1] = 0; + /* Ensure that the string buffer is NUL terminated. */ + strings[stringsize] = 0; obj_aout_external_strings (abfd) = strings; obj_aout_external_string_size (abfd) = stringsize; -- 2.30.2