Fix potential buffer overrun in objcopy's note merging code.

* objcopy.c (merge_gnu_build_notes): Allow for the possibility that the new notes might actually be larger than the original notes.
2019-11-21 10:54:20 +00:00 · 2019-11-21 10:54:20 +00:00 · f76d79580e
parent 73d5efd7e1
commit f76d79580e
2 changed files with 14 additions and 3 deletions
--- a/binutils/ChangeLog
+++ b/binutils/ChangeLog
@ -1,3 +1,9 @@
+2019-11-21  Nick Clifton  <nickc@redhat.com>
+
+	* objcopy.c (merge_gnu_build_notes): Allow for the possibility
+	that the new notes might actually be larger than the original
+	notes.
+
 2019-11-21  Alan Modra  <amodra@gmail.com>

 	* testsuite/lib/binutils-common.exp (is_pecoff_format): Rewrite
--- a/binutils/objcopy.c
+++ b/binutils/objcopy.c
@ -2460,7 +2460,9 @@ merge_gnu_build_notes (bfd *          abfd,
  bfd_vma        prev_start = 0;
  bfd_vma        prev_end = 0;

-  new = new_contents = xmalloc (size);
+  /* Not sure how, but the notes might grow in size.
+     (eg see PR 1774507).  Allow for this here.  */
+  new = new_contents = xmalloc (size * 2);
  for (pnote = pnotes, old = contents;
       pnote < pnotes_end;
       pnote ++)
@ -2527,8 +2529,11 @@ merge_gnu_build_notes (bfd *          abfd,
 #endif
  
  new_size = new - new_contents;
-  memcpy (contents, new_contents, new_size);
-  size = new_size;
+  if (new_size < size)
+    {
+      memcpy (contents, new_contents, new_size);
+      size = new_size;
+    }
  free (new_contents);

 done: