diff options
author | Nick Clifton <nickc@redhat.com> | 2015-01-21 17:37:23 +0000 |
---|---|---|
committer | Nick Clifton <nickc@redhat.com> | 2015-01-21 17:37:23 +0000 |
commit | 86eafac0aad7edbc1ccea6daf53480a36339250a (patch) | |
tree | 380943f3951e65b5a0c9968691828a424e0857c7 /bfd/coffcode.h | |
parent | ffbc46469f5fa1368251acd65da418775ab1a2ce (diff) | |
download | binutils-gdb-86eafac0aad7edbc1ccea6daf53480a36339250a.tar.gz |
Fix memory access violations triggered by running strip on fuzzed binaries.
PR binutils/17512
* coffcode.h (coff_set_arch_mach_hook): Check return value from
bfd_malloc.
(coff_slurp_line_table): Return FALSE if the line number
information was corrupt.
(coff_slurp_symbol_table): Return FALSE if the symbol information
was corrupt.
* mach-o.c (bfd_mach_o_bfd_copy_private_header_data): Always
initialise the fields of the dyld_info structure.
(bfd_mach_o_build_exec_seg_command): Replace assertion with an
error message and a return value.
(bfd_mach_o_layout_commands): Change the function to boolean.
Return FALSE if the function fails.
(bfd_mach_o_build_commands): Fail if bfd_mach_o_layout_commands
fails.
(bfd_mach_o_read_command): Fail if an unrecognised command is
encountered.
* peXXigen.c (_bfd_XXi_swap_aouthdr_in): Set bfd_error if the
read fails.
(slurp_symtab): Check the return from bfd_malloc.
(_bfd_XX_bfd_copy_private_bfd_data_common): Fail if the copy
encountered an error.
(_bfd_XXi_final_link_postscript): Fail if a section could not be
copied.
* peicode.h (pe_bfd_object_p): Fail if the header could not be
swapped in.
* tekhex.c (first_phase): Fail if the section is too big.
* versados.c (struct esdid): Add content_size field.
(process_otr): Use and check the new field.
(versados_get_section_contents): Check that the section exists and
that the requested data is available.
PR binutils/17512
* addr2line.c (main): Call bfd_set_error_program_name.
* ar.c (main): Likewise.
* coffdump.c (main): Likewise.
* cxxfilt.c (main): Likewise.
* dlltool.c (main): Likewise.
* nlmconv.c (main): Likewise.
* nm.c (main): Likewise.
* objdump.c (main): Likewise.
* size.c (main): Likewise.
* srconv.c (main): Likewise.
* strings.c (main): Likewise.
* sysdump.c (main): Likewise.
* windmc.c (main): Likewise.
* windres.c (main): Likewise.
* objcopy.c (main): Likewise.
(copy_relocations_in_section): Check for relocs without associated
symbol pointers.
Diffstat (limited to 'bfd/coffcode.h')
-rw-r--r-- | bfd/coffcode.h | 38 |
1 files changed, 30 insertions, 8 deletions
diff --git a/bfd/coffcode.h b/bfd/coffcode.h index 9e1c20acf38..181f9af15b4 100644 --- a/bfd/coffcode.h +++ b/bfd/coffcode.h @@ -2073,10 +2073,14 @@ coff_mkobject_hook (bfd * abfd, #endif if ((internal_f->f_flags & F_GO32STUB) != 0) - coff->go32stub = (char *) bfd_alloc (abfd, (bfd_size_type) GO32_STUBSIZE); + { + coff->go32stub = (char *) bfd_alloc (abfd, (bfd_size_type) GO32_STUBSIZE); + if (coff->go32stub == NULL) + return NULL; + } if (coff->go32stub != NULL) memcpy (coff->go32stub, internal_f->go32stub, GO32_STUBSIZE); - + return coff; } #endif @@ -2278,6 +2282,8 @@ coff_set_arch_mach_hook (bfd *abfd, void * filehdr) bfd_size_type amt = bfd_coff_symesz (abfd); buf = bfd_malloc (amt); + if (buf == NULL) + return FALSE; if (bfd_seek (abfd, obj_sym_filepos (abfd), SEEK_SET) != 0 || bfd_bread (buf, amt, abfd) != amt) { @@ -2666,10 +2672,16 @@ coff_write_relocs (bfd * abfd, int first_undef) amt = s->reloc_count; amt *= sizeof (arelent *); p = bfd_malloc (amt); - if (p == NULL && s->reloc_count > 0) - return FALSE; - memcpy (p, s->orelocation, (size_t) amt); - qsort (p, s->reloc_count, sizeof (arelent *), compare_arelent_ptr); + if (p == NULL) + { + if (s->reloc_count > 0) + return FALSE; + } + else + { + memcpy (p, s->orelocation, (size_t) amt); + qsort (p, s->reloc_count, sizeof (arelent *), compare_arelent_ptr); + } } #endif @@ -4526,6 +4538,7 @@ coff_slurp_line_table (bfd *abfd, asection *asect) unsigned int nbr_func; LINENO *src; bfd_boolean have_func; + bfd_boolean ret = TRUE; BFD_ASSERT (asect->lineno == NULL); @@ -4575,6 +4588,7 @@ coff_slurp_line_table (bfd *abfd, asection *asect) (_("%B: warning: illegal symbol index 0x%lx in line number entry %d"), abfd, (long) symndx, counter); cache_ptr->line_number = -1; + ret = FALSE; continue; } @@ -4587,6 +4601,7 @@ coff_slurp_line_table (bfd *abfd, asection *asect) (_("%B: warning: illegal symbol index 0x%lx in line number entry %d"), abfd, (long) symndx, counter); cache_ptr->line_number = -1; + ret = FALSE; continue; } sym = (coff_symbol_type *) (ent->u.syment._n._n_n._n_zeroes); @@ -4599,6 +4614,7 @@ coff_slurp_line_table (bfd *abfd, asection *asect) (_("%B: warning: illegal symbol in line number entry %d"), abfd, counter); cache_ptr->line_number = -1; + ret = FALSE; continue; } @@ -4678,11 +4694,15 @@ coff_slurp_line_table (bfd *abfd, asection *asect) memcpy (lineno_cache, n_lineno_cache, amt); } + else + ret = FALSE; bfd_release (abfd, func_table); } + else + ret = FALSE; } - return TRUE; + return ret; } /* Slurp in the symbol table, converting it to generic form. Note @@ -4697,6 +4717,7 @@ coff_slurp_symbol_table (bfd * abfd) unsigned int *table_ptr; bfd_size_type amt; unsigned int number_of_symbols = 0; + bfd_boolean ret = TRUE; if (obj_symbols (abfd)) return TRUE; @@ -5017,6 +5038,7 @@ coff_slurp_symbol_table (bfd * abfd) (_("%B: Unrecognized storage class %d for %s symbol `%s'"), abfd, src->u.syment.n_sclass, dst->symbol.section->name, dst->symbol.name); + ret = FALSE; case C_EXTLAB: /* External load time label. */ case C_HIDDEN: /* Ext symbol in dmert public lib. */ dst->symbol.flags = BSF_DEBUGGING; @@ -5052,7 +5074,7 @@ coff_slurp_symbol_table (bfd * abfd) } } - return TRUE; + return ret; } /* Classify a COFF symbol. A couple of targets have globally visible |