[Bug binutils/19005] objcopy buffer-over-read

[ams at sourceware dot org]

https://sourceware.org/bugzilla/show_bug.cgi?id=19005

--- Comment #9 from Andrew Stubbs <ams at sourceware dot org> ---
No, it's the call to bfd_set_section_contents in which the UB occurs. You can
see this with valgrind:

==14966== Invalid read of size 1
==14966==    at 0x50AA0A0: _IO_default_xsputn (genops.c:480)
==14966==    by 0x50A7104: _IO_file_xsputn@@GLIBC_2.2.5 (fileops.c:1380)
==14966==    by 0x509D2DC: fwrite (iofwrite.c:45)
==14966==    by 0x49937B: cache_bwrite (cache.c:378)
==14966==    by 0x42B2C0: bfd_bwrite (bfdio.c:211)
==14966==    by 0x42DE66: _bfd_generic_set_section_contents (libbfd.c:885)
==14966==    by 0x42FD4F: bfd_set_section_contents (section.c:1518)
==14966==    by 0x405D18: copy_section (objcopy.c:3179)
==14966==    by 0x42FDEB: bfd_map_over_sections (section.c:1380)
==14966==    by 0x403BE6: copy_object (objcopy.c:2215)
==14966==    by 0x4057DB: copy_file (objcopy.c:2667)
==14966==    by 0x407001: main (objcopy.c:4475)
==14966==  Address 0x53cb873 is 0 bytes after a block of size 3 alloc'd
==14966==    at 0x4C2865E: malloc (vg_replace_malloc.c:270)
==14966==    by 0x42E0EA: bfd_malloc (libbfd.c:184)
==14966==    by 0x42C287: bfd_get_full_section_contents (compress.c:248)
==14966==    by 0x405B4B: copy_section (objcopy.c:3124)
==14966==    by 0x42FDEB: bfd_map_over_sections (section.c:1380)
==14966==    by 0x403BE6: copy_object (objcopy.c:2215)
==14966==    by 0x4057DB: copy_file (objcopy.c:2667)
==14966==    by 0x407001: main (objcopy.c:4475)

Neither patch fixes that. Both also leave the interleave code broken, I think.

The correct length is always the input section size after conversion, IIUC.

-- 
You are receiving this mail because:
You are on the CC list for the bug.