Fix shift overflow when parsing an overlarge note value.
PR binutils/21378 * readelf.c (print_gnu_build_attribute_name): Check for an overlarge name field.
This commit is contained in:
parent
792f174f8a
commit
ddef72cdc1
|
@ -1,3 +1,9 @@
|
||||||
|
2017-04-21 Nick Clifton <nickc@redhat.com>
|
||||||
|
|
||||||
|
PR binutils/21378
|
||||||
|
* readelf.c (print_gnu_build_attribute_name): Check for an
|
||||||
|
overlarge name field.
|
||||||
|
|
||||||
2017-04-13 Nick Clifton <nickc@redhat.com>
|
2017-04-13 Nick Clifton <nickc@redhat.com>
|
||||||
|
|
||||||
PR binutils/21379
|
PR binutils/21379
|
||||||
|
|
|
@ -16949,10 +16949,18 @@ print_gnu_build_attribute_name (Elf_Internal_Note * pnote)
|
||||||
case GNU_BUILD_ATTRIBUTE_TYPE_NUMERIC:
|
case GNU_BUILD_ATTRIBUTE_TYPE_NUMERIC:
|
||||||
{
|
{
|
||||||
unsigned int bytes = pnote->namesz - (name - pnote->namedata);
|
unsigned int bytes = pnote->namesz - (name - pnote->namedata);
|
||||||
unsigned long val = 0;
|
unsigned long long val = 0;
|
||||||
unsigned int shift = 0;
|
unsigned int shift = 0;
|
||||||
char * decoded = NULL;
|
char * decoded = NULL;
|
||||||
|
|
||||||
|
/* PR 21378 */
|
||||||
|
if (bytes > sizeof (val))
|
||||||
|
{
|
||||||
|
error (_("corrupt name field: namesz of %lu is too large for a numeric value\n"),
|
||||||
|
pnote->namesz);
|
||||||
|
return FALSE;
|
||||||
|
}
|
||||||
|
|
||||||
while (bytes --)
|
while (bytes --)
|
||||||
{
|
{
|
||||||
unsigned long byte = (* name ++) & 0xff;
|
unsigned long byte = (* name ++) & 0xff;
|
||||||
|
@ -16995,9 +17003,9 @@ print_gnu_build_attribute_name (Elf_Internal_Note * pnote)
|
||||||
else
|
else
|
||||||
{
|
{
|
||||||
if (do_wide)
|
if (do_wide)
|
||||||
left -= printf ("0x%lx", val);
|
left -= printf ("0x%llx", val);
|
||||||
else
|
else
|
||||||
left -= printf ("0x%-.*lx", left, val);
|
left -= printf ("0x%-.*llx", left, val);
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
break;
|
break;
|
||||||
|
|
Loading…
Reference in New Issue