som_bfd_fill_in_ar_symbols buffer overflow
* som.c (som_bfd_fill_in_ar_symbols): Bounds check som_dict index.
This commit is contained in:
parent
3e6aa7751a
commit
85d8681747
|
@ -1,3 +1,7 @@
|
|||
2020-01-06 Alan Modra <amodra@gmail.com>
|
||||
|
||||
* som.c (som_bfd_fill_in_ar_symbols): Bounds check som_dict index.
|
||||
|
||||
2020-01-06 Alan Modra <amodra@gmail.com>
|
||||
|
||||
* mach-o.c (bfd_mach_o_read_dylinker): Don't read past end of
|
||||
|
|
23
bfd/som.c
23
bfd/som.c
|
@ -6002,6 +6002,7 @@ som_bfd_fill_in_ar_symbols (bfd *abfd,
|
|||
size_t len;
|
||||
unsigned char ext_len[4];
|
||||
char *name;
|
||||
unsigned int ndx;
|
||||
|
||||
/* An empty chain has zero as it's file offset. */
|
||||
hash_val = bfd_getb32 (hash_table + 4 * i);
|
||||
|
@ -6048,9 +6049,14 @@ som_bfd_fill_in_ar_symbols (bfd *abfd,
|
|||
|
||||
/* Fill in the file offset. Note that the "location" field points
|
||||
to the SOM itself, not the ar_hdr in front of it. */
|
||||
set->file_offset =
|
||||
bfd_getb32 (som_dict[bfd_getb32 (lst_symbol.som_index)].location)
|
||||
- sizeof (struct ar_hdr);
|
||||
ndx = bfd_getb32 (lst_symbol.som_index);
|
||||
if (ndx >= lst_header->module_count)
|
||||
{
|
||||
bfd_set_error (bfd_error_bad_value);
|
||||
goto error_return;
|
||||
}
|
||||
set->file_offset
|
||||
= bfd_getb32 (som_dict[ndx].location) - sizeof (struct ar_hdr);
|
||||
|
||||
/* Go to the next symbol. */
|
||||
set++;
|
||||
|
@ -6097,9 +6103,14 @@ som_bfd_fill_in_ar_symbols (bfd *abfd,
|
|||
|
||||
/* Fill in the file offset. Note that the "location" field points
|
||||
to the SOM itself, not the ar_hdr in front of it. */
|
||||
set->file_offset =
|
||||
bfd_getb32 (som_dict[bfd_getb32 (lst_symbol.som_index)].location)
|
||||
- sizeof (struct ar_hdr);
|
||||
ndx = bfd_getb32 (lst_symbol.som_index);
|
||||
if (ndx >= lst_header->module_count)
|
||||
{
|
||||
bfd_set_error (bfd_error_bad_value);
|
||||
goto error_return;
|
||||
}
|
||||
set->file_offset
|
||||
= bfd_getb32 (som_dict[ndx].location) - sizeof (struct ar_hdr);
|
||||
|
||||
/* Go on to the next symbol. */
|
||||
set++;
|
||||
|
|
Loading…
Reference in New Issue