From e4f2723003859dc6b33ca0dadbc4a7659ebf1643 Mon Sep 17 00:00:00 2001 From: Nick Clifton Date: Thu, 31 Aug 2017 17:03:23 +0100 Subject: [PATCH] Fix buffer read overrun by ensuring that DWARF sections containing strings always end in a NUL byte. PR 22047 * dwarf2.c (read_section): If necessary add a terminating NUL byte to dwarf string sections. --- bfd/ChangeLog | 6 ++++++ bfd/dwarf2.c | 23 +++++++++++++++++++++++ 2 files changed, 29 insertions(+) diff --git a/bfd/ChangeLog b/bfd/ChangeLog index 1a3cc5106e5..368b5586974 100644 --- a/bfd/ChangeLog +++ b/bfd/ChangeLog @@ -1,3 +1,9 @@ +2017-08-31 Nick Clifton + + PR 22047 + * dwarf2.c (read_section): If necessary add a terminating NUL byte + to dwarf string sections. + 2017-08-31 Alan Modra * po/SRC-POTFILES.in: Regenerate. diff --git a/bfd/dwarf2.c b/bfd/dwarf2.c index 22d6d56407f..40a187a1a43 100644 --- a/bfd/dwarf2.c +++ b/bfd/dwarf2.c @@ -566,6 +566,29 @@ read_section (bfd * abfd, 0, *section_size)) return FALSE; } + + /* Paranoia - if we are reading in a string section, make sure that it + is NUL terminated. This is to prevent string functions from running + off the end of the buffer. Note - knowing the size of the buffer is + not enough as some functions, eg strchr, do not have a range limited + equivalent. + + FIXME: We ought to use a flag in the dwarf_debug_sections[] table to + determine the nature of a debug section, rather than checking the + section name as we do here. */ + if (*section_size > 0 + && (*section_buffer)[*section_size - 1] != 0 + && (strstr (section_name, "_str") || strstr (section_name, "names"))) + { + bfd_byte * new_buffer = malloc (*section_size + 1); + + _bfd_error_handler (_("warning: dwarf string section '%s' is not NUL terminated"), + section_name); + memcpy (new_buffer, *section_buffer, *section_size); + new_buffer[*section_size] = 0; + free (*section_buffer); + *section_buffer = new_buffer; + } } /* It is possible to get a bad value for the offset into the section -- 2.30.2