OpenE2K
/
binutils-gdb
12
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

PR26188, buff overflow in coff_find_nearest_line_with_names 

PR 26188
	* coffgen.c (coff_find_nearest_line_with_names): Sanity check
	raw syment index before dereferencing.
This commit is contained in:
Alan Modra 2020-07-01 16:54:50 +09:30
parent 9cdf98207c
commit 33d1369f18
2 changed files with 12 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
bfd/ChangeLog
View File

@ -1,3 +1,9 @@
2020-07-01 Alan Modra <amodra@gmail.com>
PR 26188
* coffgen.c (coff_find_nearest_line_with_names): Sanity check
raw syment index before dereferencing.
2020-07-01 Alan Modra <amodra@gmail.com>
* elf32-i386.c (elf_backend_object_p): Undef for vxworks.

8
bfd/coffgen.c
View File

@ -2435,11 +2435,15 @@ coff_find_nearest_line_with_names (bfd *abfd,
/* In XCOFF a debugging symbol can follow the
function symbol. */
if (s->u.syment.n_scnum == N_DEBUG)
if (((size_t) ((char *) s - (char *) obj_raw_syments (abfd))
< obj_raw_syment_count (abfd) * sizeof (*s))
&& s->u.syment.n_scnum == N_DEBUG)
s = s + 1 + s->u.syment.n_numaux;
/* S should now point to the .bf of the function. */
if (s->u.syment.n_numaux)
if (((size_t) ((char *) s - (char *) obj_raw_syments (abfd))
< obj_raw_syment_count (abfd) * sizeof (*s))
&& s->u.syment.n_numaux)
{
/* The linenumber is stored in the auxent. */
union internal_auxent *a = &((s + 1)->u.auxent);