This is the mail archive of the binutils@sourceware.org mailing list for the binutils project.


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]
Other format: [Raw text]

Re: [RFA:] Fix PR14481 for almost all a.out-targets


On Tue, Nov 6, 2012 at 9:12 PM, Hans-Peter Nilsson
<hans-peter.nilsson@axis.com> wrote:
>
> There's also exposed what seems to be some *actual* binutils bugs:
>
> Running /home/hp/binutils/src/binutils/testsuite/binutils-all/objcopy.exp ...
> Version /home/hp/binutils/obj/l/binutils/objcopy 2.23.51.20121106
> FAIL: objcopy -i --interleave-width
> Running /home/hp/binutils/src/binutils/testsuite/binutils-all/objdump.exp ...
> Version /home/hp/binutils/obj/l/binutils/objdump 2.23.51.20121106
> FAIL: objdump -W
> FAIL: objdump -WL
>
> In binutils.log, for "FAIL: objcopy -i --interleave-width":
> ==6873== Invalid read of size 1
> ==6873==    at 0x804C958: copy_section (objcopy.c:2826)
> ==6873==    by 0x8077D3B: bfd_map_over_sections (section.c:1329)
> ==6873==    by 0x804B042: copy_object (objcopy.c:1935)
> ==6873==    by 0x804C31A: copy_file (objcopy.c:2346)
> ==6873==    by 0x804E1C1: main (objcopy.c:4051)
> ==6873==  Address 0x402d011 is 0 bytes after a block of size 9 alloc'd
> ==6873==    at 0x4006AEE: malloc (vg_replace_malloc.c:207)
> ==6873==    by 0x8076146: bfd_malloc (libbfd.c:183)
> ==6873==    by 0x808659F: bfd_get_full_section_contents (compress.c:181)
> ==6873==    by 0x804C847: copy_section (objcopy.c:2783)
> ==6873==    by 0x8077D3B: bfd_map_over_sections (section.c:1329)
> ==6873==    by 0x804B042: copy_object (objcopy.c:1935)
> ==6873==    by 0x804C31A: copy_file (objcopy.c:2346)
> ==6873==    by 0x804E1C1: main (objcopy.c:4051)
> (repeated once)
>

I checked in this as an obvious fix.


-- 
H.J.
---
diff --git a/binutils/ChangeLog b/binutils/ChangeLog
index 84ea185..688d569 100644
--- a/binutils/ChangeLog
+++ b/binutils/ChangeLog
@@ -1,3 +1,7 @@
+2012-11-07  H.J. Lu  <hongjiu.lu@intel.com>
+
+	* objcopy.c (copy_section): Don't read beyond section end.
+
 2012-11-06  H.J. Lu  <hongjiu.lu@intel.com>

 	PR binutils/14567
diff --git a/binutils/objcopy.c b/binutils/objcopy.c
index f44ebcd..4860864 100644
--- a/binutils/objcopy.c
+++ b/binutils/objcopy.c
@@ -2823,7 +2823,11 @@ copy_section (bfd *ibfd, sec_ptr isection, void *obfdarg)

 	  for (; from < end; from += interleave)
 	    for (i = 0; i < copy_width; i++)
-	      *to++ = from[i];
+	      {
+		if (&from[i] >= end)
+		  break;
+		*to++ = from[i];
+	      }

 	  size = (size + interleave - 1 - copy_byte) / interleave * copy_width;
 	  osection->lma /= interleave;


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]