This is the mail archive of the binutils@sourceware.cygnus.com mailing list for the binutils project.

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]

Re: Fix bfd_read to cope with bad BIMs

To: binutils at sourceware dot cygnus dot com
Subject: Re: Fix bfd_read to cope with bad BIMs
From: Nick Clifton <nickc at cygnus dot com>
Date: Fri, 21 Jan 2000 11:46:47 -0800

Hi Ian,

:      The patch below fixes a small bug in bfd_read().  If a bfd_in_memory
:      structure has a "size" field that is less than the value of
:      "abfd->where" then the code would attempt to memcpy() a negative sized
:      amount of data, resulting in a segmentation fault.
: 
:      Is this patch OK to apply ?
: 
: Yes, but there is probably another bug.  bfd_seek should not let you
: set the abfd->where field of a BFD_IN_MEMORY BFD to an invalid value.

  Agreed, and here is a patch to fix both problems:

  Shall I apply this versiopn ?

Cheers
	Nick


2000-01-21  Nick Clifton  <nickc@cygnus.com>

	* libbfd.c (bfd_read): Do not attempt to get a negativly sized
	amount from a bfd_in_memory structure.
	(bfd_seek): Do not allow seeks past the end of a bfd_in_memory
	structure.

Index: libbfd.c
===================================================================
RCS file: /cvs/binutils/binutils/bfd/libbfd.c,v
retrieving revision 1.7
diff -p -r1.7 libbfd.c
*** libbfd.c	1999/11/09 19:13:21	1.7
--- libbfd.c	2000/01/21 19:45:02
*************** bfd_read (ptr, size, nitems, abfd)
*** 274,280 ****
        get = size * nitems;
        if (abfd->where + get > bim->size)
  	{
! 	  get = bim->size - abfd->where;
  	  bfd_set_error (bfd_error_file_truncated);
  	}
        memcpy (ptr, bim->buffer + abfd->where, get);
--- 274,283 ----
        get = size * nitems;
        if (abfd->where + get > bim->size)
  	{
! 	  if (bim->size < abfd->where)
! 	    get = 0;
! 	  else
! 	    get = bim->size - abfd->where;
  	  bfd_set_error (bfd_error_file_truncated);
  	}
        memcpy (ptr, bim->buffer + abfd->where, get);
*************** bfd_seek (abfd, position, direction)
*** 677,686 ****
--- 680,697 ----
  
    if ((abfd->flags & BFD_IN_MEMORY) != 0)
      {
+       struct bfd_in_memory *bim;
+ 
+       bim = (struct bfd_in_memory *) abfd->iostream;
+       
        if (direction == SEEK_SET)
  	abfd->where = position;
        else
  	abfd->where += position;
+       
+       if (abfd->where > bim->size)
+ 	abfd->where = bim->size;
+       
        return 0;
      }

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]