From c616591359a014fcfdb5acb48e70ecda0823fb46 Mon Sep 17 00:00:00 2001 From: Nick Clifton Date: Tue, 30 Aug 2016 13:51:43 +0100 Subject: [PATCH] Partially revert previous delta - move limit testing code to first scan over symbol file. PR gprof/20499 * corefile.c (num_of_syms_in): Return an unsigned int. Fail if the count exceeds the maximum possible allocatable size. (core_create_syms_from): Exit early if num_of_syms_in returns a failure code. --- gprof/ChangeLog | 7 +++---- gprof/corefile.c | 20 +++++++++----------- 2 files changed, 12 insertions(+), 15 deletions(-) diff --git a/gprof/ChangeLog b/gprof/ChangeLog index e5afbf63561..176a8f9ab5c 100644 --- a/gprof/ChangeLog +++ b/gprof/ChangeLog @@ -2,10 +2,9 @@ PR gprof/20499 * corefile.c (num_of_syms_in): Return an unsigned int. - (core_create_syms_from): Catch a possible integer overflow - computing the argument to xmalloc. Also allow for the possibility - that an integer overflow in num_of_syms_in means that less space - has been allocated than expected. + Fail if the count exceeds the maximum possible allocatable size. + (core_create_syms_from): Exit early if num_of_syms_in returns a + failure code. 2016-08-23 Nick Clifton diff --git a/gprof/corefile.c b/gprof/corefile.c index e165da2c112..87de7bc67e2 100644 --- a/gprof/corefile.c +++ b/gprof/corefile.c @@ -28,6 +28,7 @@ #include "hist.h" #include "corefile.h" #include "safe-ctype.h" +#include /* For UINT_MAX. */ bfd *core_bfd; static int core_num_syms; @@ -500,7 +501,11 @@ num_of_syms_in (FILE * f) { if (sscanf (buf, "%" STR_BUFSIZE "s %c %" STR_BUFSIZE "s", address, &type, name) == 3) if (type == 't' || type == 'T') - ++num; + { + /* PR 20499 - prevent integer overflow computing argument to xmalloc. */ + if (++num >= UINT_MAX / sizeof (Sym)) + return -1U; + } } return num; @@ -531,11 +536,10 @@ core_create_syms_from (const char * sym_table_file) fprintf (stderr, _("%s: file `%s' has no symbols\n"), whoami, sym_table_file); done (1); } - /* PR 20499 - prevent integer overflow computing argument to xmalloc. */ - else if ((symtab.len * (unsigned) sizeof (Sym)) < symtab.len) + else if (symtab.len == -1U) { - fprintf (stderr, _("%s: file `%s' has too many symbols: %u\n"), - whoami, sym_table_file, symtab.len); + fprintf (stderr, _("%s: file `%s' has too many symbols\n"), + whoami, sym_table_file); done (1); } @@ -571,12 +575,6 @@ core_create_syms_from (const char * sym_table_file) max_vma = MAX (symtab.limit->addr, max_vma); ++symtab.limit; - /* PR 20499 - it is theoretically possible that there are so many - symbols in the file that the scan in num_of_syms_in() wrapped - around. So be paranoid here and exit the loop if we have - reached the end of our allocated table. */ - if ((unsigned int)(symtab.limit - symtab.base) == symtab.len) - break; } fclose (f); -- 2.30.2