FreeChainXenon/binutils-gdb
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

asan: readelf: heap buffer overflow in slurp_hppa_unwind_table

Browse source 
This one isn't just a weird corner case requiring multiple
.PARISC.unwind sections in an object file to trigger the buffer
overflow, it's also a simple bug that would prevent relocations being
applied in the normal case of a single .PARISC.unwind section.

	* readelf (slurp_hppa_unwind_table): Set table_len before use
	in relocation sanity checks.
This commit is contained in:
Alan Modra 2020-07-09 13:18:37 +09:30
parent a6978338d9
commit e3fdc001d3
2 changed files with 6 additions and 2 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

5
binutils/ChangeLog
View file

@ -1,3 +1,8 @@
2020-07-09 Alan Modra <amodra@gmail.com>
* readelf (slurp_hppa_unwind_table): Set table_len before use
in relocation sanity checks.
2020-07-07 Alan Modra <amodra@gmail.com>
* testsuite/binutils-all/ar.exp: Use is_xcoff_format.

3
binutils/readelf.c
View file

@ -8253,6 +8253,7 @@ slurp_hppa_unwind_table (Filedata * filedata,
nentries = size / unw_ent_size;
size = unw_ent_size * nentries;
aux->table_len = nentries;
tep = aux->table = (struct hppa_unw_table_entry *)
xcmalloc (nentries, sizeof (aux->table[0]));
@ -8372,8 +8373,6 @@ slurp_hppa_unwind_table (Filedata * filedata,
free (rela);
}
aux->table_len = nentries;
return TRUE;
}