Re: [patch bfd]: Prevent possible buffer overflow on pdata-section sorting

[Alan Modra <amodra at gmail dot com>]

On Wed, Apr 06, 2011 at 06:50:15PM +0200, Kai Tietz wrote:
> Hello,
> 
> this issue was reported by H. Becker to me.  He found that the code in
> peXXigen.c about pdata-section sorting might cause a buffer-overrun
> for large pdata-data.  By working in private allocated buffer -
> instead of using the pfinfo->contents - avoids this.
> 
> ChangeLog
> 
> 2011-04-06  Kai Tietz
> 
>         * peXXigen.c (_bfd_XXi_final_link_postscripte): Sort pdata in temporary
>         buffer.
> 
> Tested for x86_64-w64-mingw32. Ok for apply?
> 
> Regards,
> Kai

> Index: src/bfd/peXXigen.c
> ===================================================================
> --- src.orig/bfd/peXXigen.c	2010-12-21 19:33:07.000000000 +0100
> +++ src/bfd/peXXigen.c	2011-04-06 18:19:45.945394800 +0200
> @@ -2459,14 +2459,22 @@ _bfd_XXi_final_link_postscript (bfd * ab
>      if (sec)
>        {
>  	bfd_size_type x = sec->rawsize ? sec->rawsize : sec->size;

Since this is an output section, this should just be sec->size I
think.  See section.c rawsize comment.

> +	bfd_byte *tmp_data = NULL;
>  
> -	if (x && bfd_get_section_contents (abfd, sec, pfinfo->contents, 0, x))
> +	if (x)
> +	  tmp_data = bfd_malloc (x);
> +
> +	if (tmp_data != NULL)
>  	  {
> -	    qsort (pfinfo->contents,
> -	    	   (size_t) ((sec->size <x ? sec->size : x) / 12),
> -	    	   12, sort_x64_pdata);
> -	    bfd_set_section_contents (pfinfo->output_bfd, sec,
> -	    			      pfinfo->contents, 0, x);
> +	    if (bfd_get_section_contents (abfd, sec, tmp_data, 0, x))
> +	      {
> +		qsort (tmp_data,
> +		       (size_t) ((sec->size <x ? sec->size : x) / 12),

Likewise here.  OK with those changes.

> +		       12, sort_x64_pdata);
> +		bfd_set_section_contents (pfinfo->output_bfd, sec,
> +					  tmp_data, 0, x);
> +	      }
> +	    free (tmp_data);
>  	  }
>        }
>    }


-- 
Alan Modra
Australia Development Lab, IBM