summaryrefslogtreecommitdiff
path: root/bfd/som.c
diff options
context:
space:
mode:
authorNick Clifton <nickc@redhat.com>2017-06-22 10:33:56 +0100
committerNick Clifton <nickc@redhat.com>2017-06-22 10:33:56 +0100
commitd19237d98d5c227bc33693057eb466702386cdfb (patch)
treefb42ede315655bb10531d4c24a3a594f08883408 /bfd/som.c
parente7d39ed3e0ca36d0dbd6ddd4cb955aa73b0974e6 (diff)
downloadbinutils-gdb-d19237d98d5c227bc33693057eb466702386cdfb.tar.gz
Fix address violation parsing a corrupt SOM binary.
PR binutils/21649 * som.c (setup_sections): NUL terminate the space_strings buffer. Check that the space.name field does not index beyond the end of the space_strings buffer.
Diffstat (limited to 'bfd/som.c')
-rw-r--r--bfd/som.c9
1 files changed, 7 insertions, 2 deletions
diff --git a/bfd/som.c b/bfd/som.c
index 8575c891a47..98c4124bbad 100644
--- a/bfd/som.c
+++ b/bfd/som.c
@@ -2083,8 +2083,8 @@ setup_sections (bfd *abfd,
/* First, read in space names. */
amt = file_hdr->space_strings_size;
- space_strings = bfd_malloc (amt);
- if (!space_strings && amt != 0)
+ space_strings = bfd_malloc (amt + 1);
+ if (space_strings == NULL && amt != 0)
goto error_return;
if (bfd_seek (abfd, current_offset + file_hdr->space_strings_location,
@@ -2092,6 +2092,8 @@ setup_sections (bfd *abfd,
goto error_return;
if (bfd_bread (space_strings, amt, abfd) != amt)
goto error_return;
+ /* Make sure that the string table is NUL terminated. */
+ space_strings[amt] = 0;
/* Loop over all of the space dictionaries, building up sections. */
for (space_index = 0; space_index < file_hdr->space_total; space_index++)
@@ -2119,6 +2121,9 @@ setup_sections (bfd *abfd,
som_swap_space_dictionary_in (&ext_space, &space);
/* Setup the space name string. */
+ if (space.name >= file_hdr->space_strings_size)
+ goto error_return;
+
space_name = space.name + space_strings;
/* Make a section out of it. */