[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Bug binutils/19005] objcopy buffer-over-read
From: |
ams at sourceware dot org |
Subject: |
[Bug binutils/19005] objcopy buffer-over-read |
Date: |
Fri, 25 Sep 2015 16:06:36 +0000 |
https://sourceware.org/bugzilla/show_bug.cgi?id=19005
--- Comment #9 from Andrew Stubbs <ams at sourceware dot org> ---
No, it's the call to bfd_set_section_contents in which the UB occurs. You can
see this with valgrind:
==14966== Invalid read of size 1
==14966== at 0x50AA0A0: _IO_default_xsputn (genops.c:480)
==14966== by 0x50A7104: _IO_file_xsputn@@GLIBC_2.2.5 (fileops.c:1380)
==14966== by 0x509D2DC: fwrite (iofwrite.c:45)
==14966== by 0x49937B: cache_bwrite (cache.c:378)
==14966== by 0x42B2C0: bfd_bwrite (bfdio.c:211)
==14966== by 0x42DE66: _bfd_generic_set_section_contents (libbfd.c:885)
==14966== by 0x42FD4F: bfd_set_section_contents (section.c:1518)
==14966== by 0x405D18: copy_section (objcopy.c:3179)
==14966== by 0x42FDEB: bfd_map_over_sections (section.c:1380)
==14966== by 0x403BE6: copy_object (objcopy.c:2215)
==14966== by 0x4057DB: copy_file (objcopy.c:2667)
==14966== by 0x407001: main (objcopy.c:4475)
==14966== Address 0x53cb873 is 0 bytes after a block of size 3 alloc'd
==14966== at 0x4C2865E: malloc (vg_replace_malloc.c:270)
==14966== by 0x42E0EA: bfd_malloc (libbfd.c:184)
==14966== by 0x42C287: bfd_get_full_section_contents (compress.c:248)
==14966== by 0x405B4B: copy_section (objcopy.c:3124)
==14966== by 0x42FDEB: bfd_map_over_sections (section.c:1380)
==14966== by 0x403BE6: copy_object (objcopy.c:2215)
==14966== by 0x4057DB: copy_file (objcopy.c:2667)
==14966== by 0x407001: main (objcopy.c:4475)
Neither patch fixes that. Both also leave the interleave code broken, I think.
The correct length is always the input section size after conversion, IIUC.
--
You are receiving this mail because:
You are on the CC list for the bug.
- [Bug binutils/19005] New: objcopy buffer-over-read, ams at sourceware dot org, 2015/09/25
- [Bug binutils/19005] objcopy buffer-over-read, ams at sourceware dot org, 2015/09/25
- [Bug binutils/19005] objcopy buffer-over-read, ams at sourceware dot org, 2015/09/25
- [Bug binutils/19005] objcopy buffer-over-read, ams at sourceware dot org, 2015/09/25
- [Bug binutils/19005] objcopy buffer-over-read, ams at sourceware dot org, 2015/09/25
- [Bug binutils/19005] objcopy buffer-over-read, hjl.tools at gmail dot com, 2015/09/25
- [Bug binutils/19005] objcopy buffer-over-read, ams at sourceware dot org, 2015/09/25
- [Bug binutils/19005] objcopy buffer-over-read, hjl.tools at gmail dot com, 2015/09/25
- [Bug binutils/19005] objcopy buffer-over-read, hjl.tools at gmail dot com, 2015/09/25
- [Bug binutils/19005] objcopy buffer-over-read,
ams at sourceware dot org <=
- [Bug binutils/19005] objcopy buffer-over-read, hjl.tools at gmail dot com, 2015/09/25
- [Bug binutils/19005] objcopy buffer-over-read, hjl.tools at gmail dot com, 2015/09/25
- [Bug binutils/19005] objcopy buffer-over-read, ams at sourceware dot org, 2015/09/25
- [Bug binutils/19005] objcopy buffer-over-read, hjl.tools at gmail dot com, 2015/09/25
- [Bug binutils/19005] objcopy buffer-over-read, ams at sourceware dot org, 2015/09/25
- [Bug binutils/19005] objcopy buffer-over-read, hjl.tools at gmail dot com, 2015/09/25
- [Bug binutils/19005] objcopy buffer-over-read, ams at sourceware dot org, 2015/09/28
- [Bug binutils/19005] objcopy buffer-over-read, hjl.tools at gmail dot com, 2015/09/29
- [Bug binutils/19005] objcopy buffer-over-read, ams at sourceware dot org, 2015/09/29
- [Bug binutils/19005] objcopy buffer-over-read, hjl.tools at gmail dot com, 2015/09/29