This is the mail archive of the
binutils@sourceware.org
mailing list for the binutils project.
[PATCH] Buffer overrun in objcopy
- From: Eirik Byrkjeflot Anonsen <eirik at opera dot com>
- To: binutils at sourceware dot org
- Date: Fri, 18 Dec 2009 15:08:27 +0100
- Subject: [PATCH] Buffer overrun in objcopy
Using objcopy from binutils 2.20.
When using objcopy to rename symbols using add_redefine_syms_file(), if
one of the source symbols is exactly 99 characters, the input buffer
will be overrun (by the first character in the target symbol). The
attached patch copies the buffer resize code to the two places in this
function where I think it could potentially be a problem.
eirik
>From c62580d435fd5052c3b1173e94545ea12bcab8e9 Mon Sep 17 00:00:00 2001
From: Eirik Byrkjeflot Anonsen <eirik@opera.com>
Date: Fri, 18 Dec 2009 13:54:44 +0100
Subject: [PATCH 1/2] Extend read buffer to avoid buffer overruns.
---
binutils/objcopy.c | 10 ++++++++++
1 files changed, 10 insertions(+), 0 deletions(-)
diff --git a/binutils/objcopy.c b/binutils/objcopy.c
index 2048827..f92bdca 100644
--- a/binutils/objcopy.c
+++ b/binutils/objcopy.c
@@ -1259,6 +1259,11 @@ add_redefine_syms_file (const char *filename)
c = getc (file);
}
buf[len++] = '\0';
+ if (len >= bufsize)
+ {
+ bufsize *= 2;
+ buf = (char *) xrealloc (buf, bufsize);
+ }
if (c == EOF)
break;
@@ -1285,6 +1290,11 @@ add_redefine_syms_file (const char *filename)
c = getc (file);
}
buf[len++] = '\0';
+ if (len >= bufsize)
+ {
+ bufsize *= 2;
+ buf = (char *) xrealloc (buf, bufsize);
+ }
if (c == EOF)
break;
--
1.6.3.3