This is the mail archive of the binutils@sources.redhat.com mailing list for the binutils project.


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]

Re: Bogus code in coffgen.c?


On Thu, Nov 01, 2001 at 03:41:40PM -0800, H . J . Lu wrote:
> In coffgen.c, there is
> 
>     290   if (internal_f.f_opthdr)
>     291     {
>     292       PTR opthdr;
>     293 
>     294       opthdr = bfd_alloc (abfd, aoutsz);
> 					^^^^^^^^
>     295       if (opthdr == NULL)
>     296         return 0;;
>     297       if (bfd_bread (opthdr, (bfd_size_type) internal_f.f_opthdr, abfd)
> 						     ^^^^^^^^^^^^^^^^^^^
>     298           != internal_f.f_opthdr)
>     299         {
>     300           return 0;
>     301         }
>     302       bfd_coff_swap_aouthdr_in (abfd, opthdr, (PTR) &internal_a);
>     303     }
>     304 
> 
> We allocate a buffer of `aoutsz' bytes. Then we read `internal_f.f_opthdr'
> bytes into it. Why?
> 
> 
> 

How about this patch?


H.J.
---
2001-11-01  H.J. Lu  (hjl@gnu.org)

	* coffgen.c (coff_object_p): Return 0 if the header is too
	big.

Index: coffgen.c
===================================================================
RCS file: /work/cvs/gnu/binutils/bfd/coffgen.c,v
retrieving revision 1.24
diff -u -p -r1.24 coffgen.c
--- coffgen.c	2001/10/15 20:55:56	1.24
+++ coffgen.c	2001/11/01 23:52:29
@@ -280,7 +280,8 @@ coff_object_p (abfd)
   bfd_coff_swap_filehdr_in (abfd, filehdr, &internal_f);
   bfd_release (abfd, filehdr);
 
-  if (bfd_coff_bad_format_hook (abfd, &internal_f) == false)
+  if (bfd_coff_bad_format_hook (abfd, &internal_f) == false
+      || internal_f.f_opthdr > aoutsz)
     {
       bfd_set_error (bfd_error_wrong_format);
       return 0;


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]