From f76d79580efea856298d9e5b9a91746be875f1b1 Mon Sep 17 00:00:00 2001 From: Nick Clifton Date: Thu, 21 Nov 2019 10:54:20 +0000 Subject: [PATCH] Fix potential buffer overrun in objcopy's note merging code. * objcopy.c (merge_gnu_build_notes): Allow for the possibility that the new notes might actually be larger than the original notes. --- binutils/ChangeLog | 6 ++++++ binutils/objcopy.c | 11 ++++++++--- 2 files changed, 14 insertions(+), 3 deletions(-) diff --git a/binutils/ChangeLog b/binutils/ChangeLog index 10ab37ce3da..2d1a0030883 100644 --- a/binutils/ChangeLog +++ b/binutils/ChangeLog @@ -1,3 +1,9 @@ +2019-11-21 Nick Clifton + + * objcopy.c (merge_gnu_build_notes): Allow for the possibility + that the new notes might actually be larger than the original + notes. + 2019-11-21 Alan Modra * testsuite/lib/binutils-common.exp (is_pecoff_format): Rewrite diff --git a/binutils/objcopy.c b/binutils/objcopy.c index f682fbeef47..6e614b17cf0 100644 --- a/binutils/objcopy.c +++ b/binutils/objcopy.c @@ -2460,7 +2460,9 @@ merge_gnu_build_notes (bfd * abfd, bfd_vma prev_start = 0; bfd_vma prev_end = 0; - new = new_contents = xmalloc (size); + /* Not sure how, but the notes might grow in size. + (eg see PR 1774507). Allow for this here. */ + new = new_contents = xmalloc (size * 2); for (pnote = pnotes, old = contents; pnote < pnotes_end; pnote ++) @@ -2527,8 +2529,11 @@ merge_gnu_build_notes (bfd * abfd, #endif new_size = new - new_contents; - memcpy (contents, new_contents, new_size); - size = new_size; + if (new_size < size) + { + memcpy (contents, new_contents, new_size); + size = new_size; + } free (new_contents); done: -- 2.30.2