This is the mail archive of the
binutils@sources.redhat.com
mailing list for the binutils project.
Re: Bogus code in coffgen.c?
- To: binutils at sourceware dot cygnus dot com
- Subject: Re: Bogus code in coffgen.c?
- From: "H . J . Lu" <hjl at lucon dot org>
- Date: Thu, 1 Nov 2001 15:55:04 -0800
- References: <20011101154140.A25895@lucon.org>
On Thu, Nov 01, 2001 at 03:41:40PM -0800, H . J . Lu wrote:
> In coffgen.c, there is
>
> 290 if (internal_f.f_opthdr)
> 291 {
> 292 PTR opthdr;
> 293
> 294 opthdr = bfd_alloc (abfd, aoutsz);
> ^^^^^^^^
> 295 if (opthdr == NULL)
> 296 return 0;;
> 297 if (bfd_bread (opthdr, (bfd_size_type) internal_f.f_opthdr, abfd)
> ^^^^^^^^^^^^^^^^^^^
> 298 != internal_f.f_opthdr)
> 299 {
> 300 return 0;
> 301 }
> 302 bfd_coff_swap_aouthdr_in (abfd, opthdr, (PTR) &internal_a);
> 303 }
> 304
>
> We allocate a buffer of `aoutsz' bytes. Then we read `internal_f.f_opthdr'
> bytes into it. Why?
>
>
>
How about this patch?
H.J.
---
2001-11-01 H.J. Lu (hjl@gnu.org)
* coffgen.c (coff_object_p): Return 0 if the header is too
big.
Index: coffgen.c
===================================================================
RCS file: /work/cvs/gnu/binutils/bfd/coffgen.c,v
retrieving revision 1.24
diff -u -p -r1.24 coffgen.c
--- coffgen.c 2001/10/15 20:55:56 1.24
+++ coffgen.c 2001/11/01 23:52:29
@@ -280,7 +280,8 @@ coff_object_p (abfd)
bfd_coff_swap_filehdr_in (abfd, filehdr, &internal_f);
bfd_release (abfd, filehdr);
- if (bfd_coff_bad_format_hook (abfd, &internal_f) == false)
+ if (bfd_coff_bad_format_hook (abfd, &internal_f) == false
+ || internal_f.f_opthdr > aoutsz)
{
bfd_set_error (bfd_error_wrong_format);
return 0;