[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Bug binutils/28415] stack-buffer-overflow in objdump at disassemble_byt
|
From: |
guillermo.e.martinez at oracle dot com |
|
Subject: |
[Bug binutils/28415] stack-buffer-overflow in objdump at disassemble_bytes (objdump.c:2905) |
|
Date: |
Thu, 07 Oct 2021 02:45:16 +0000 |
https://sourceware.org/bugzilla/show_bug.cgi?id=28415
Guillermo E. Martinez <guillermo.e.martinez at oracle dot com> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |guillermo.e.martinez@oracle
| |.com
--- Comment #1 from Guillermo E. Martinez <guillermo.e.martinez at oracle dot
com> ---
Hello,
This is happening because cache_bread_1 it's reading less bytes than expected
(3314/6144 in .xt.insn for "property xtensa section")
bfd/cache.c:cache_bread_1: 0xcf2 ()
So _bfd_generic_get_section_contents is returning *false* and propagated to
bfd_get_section_contents, bfd_get_full_section_contents,
bfd_malloc_and_get_section and finally retrieve_contents.
After that, *table_data* variable is not taking care of the return value for
retrieve_contents assuming valid bytes for such section, further used in
bfd_get_32:
bfd_vma address = bfd_get_32 (abfd, table_data + off);
I thinks that it could be fixed as follow:
diff --git a/bfd/elf32-xtensa.c b/bfd/elf32-xtensa.c
index e5bfbb2f509..98039757c22 100644
--- a/bfd/elf32-xtensa.c
+++ b/bfd/elf32-xtensa.c
@@ -910,7 +910,14 @@ xtensa_read_table_entries (bfd *abfd,
table_entry_size -= 4;
num_records = table_size / table_entry_size;
+
table_data = retrieve_contents (abfd, table_section, true);
+ if (table_data == 0)
+ {
+ *table_p = NULL;
+ return 0;
+ }
+
blocks = (property_table_entry *)
bfd_malloc (num_records * sizeof (property_table_entry));
block_count = 0;
Please let me know your comments,
Kind regards,
Guillermo
--
You are receiving this mail because:
You are on the CC list for the bug.