From: Nick Clifton Date: Tue, 27 Jan 2015 15:49:12 +0000 (+0000) Subject: Fixes for memory access violations triggered by running addr2line on fuzzed binaries. X-Git-Tag: gdb-7.10-release~1826 X-Git-Url: http://review.tizen.org/git/?a=commitdiff_plain;h=877a8638ba563c667eb5358240334c473d0573a1;p=external%2Fbinutils.git Fixes for memory access violations triggered by running addr2line on fuzzed binaries. PR binutils/17512 * addr2line.c (slurp_symtab): If the symcount is zero, free the symbol table pointer. * dwarf2.c (concat_filename): Check for an empty directory table. (scan_unit_for_symbols): Check for reading off the end of the unit. (parse_comp_unit): Check for a DW_AT_comp_dir attribute with a non-string form. * elf64-ppc.c (opd_entry_value): Fail if there are no relocs available. --- diff --git a/bfd/ChangeLog b/bfd/ChangeLog index 1b14297..9abbccd 100644 --- a/bfd/ChangeLog +++ b/bfd/ChangeLog @@ -4,6 +4,14 @@ * pdp11.c (aout_get_external_symbols): Return false if there are no symbols. + * dwarf2.c (concat_filename): Check for an empty directory table. + (scan_unit_for_symbols): Check for reading off the end of the + unit. + (parse_comp_unit): Check for a DW_AT_comp_dir attribute with a + non-string form. + * elf64-ppc.c (opd_entry_value): Fail if there are no relocs + available. + 2015-01-26 Kuan-Lin Chen * elf32-nds32.c (nds32_elf_pick_relax): Fix again setting. diff --git a/bfd/dwarf2.c b/bfd/dwarf2.c index 118092c..ccc1365 100644 --- a/bfd/dwarf2.c +++ b/bfd/dwarf2.c @@ -1387,7 +1387,9 @@ concat_filename (struct line_info_table *table, unsigned int file) char *name; size_t len; - if (table->files[file - 1].dir) + if (table->files[file - 1].dir + /* PR 17512: file: 7f3d2e4b. */ + && table->dirs != NULL) subdir_name = table->dirs[table->files[file - 1].dir - 1]; if (!subdir_name || !IS_ABSOLUTE_PATH (subdir_name)) @@ -2340,6 +2342,10 @@ scan_unit_for_symbols (struct comp_unit *unit) bfd_vma high_pc = 0; bfd_boolean high_pc_relative = FALSE; + /* PR 17512: file: 9f405d9d. */ + if (info_ptr >= unit->stash->info_ptr_end) + goto fail; + abbrev_number = read_unsigned_leb128 (abfd, info_ptr, &bytes_read); info_ptr += bytes_read; @@ -2721,6 +2727,15 @@ parse_comp_unit (struct dwarf2_debug *stash, case DW_AT_comp_dir: { char *comp_dir = attr.u.str; + + /* PR 17512: file: 1fe726be. */ + if (! is_str_attr (attr.form)) + { + (*_bfd_error_handler) + (_("Dwarf Error: DW_AT_comp_dir attribute encountered with a non-string form.")); + comp_dir = NULL; + } + if (comp_dir) { /* Irix 6.2 native cc prepends .: to the compilation diff --git a/bfd/elf64-ppc.c b/bfd/elf64-ppc.c index 5a1ee50..8c7c3b7 100644 --- a/bfd/elf64-ppc.c +++ b/bfd/elf64-ppc.c @@ -5978,6 +5978,9 @@ opd_entry_value (asection *opd_sec, relocs = ppc64_elf_tdata (opd_bfd)->opd.relocs; if (relocs == NULL) relocs = _bfd_elf_link_read_relocs (opd_bfd, opd_sec, NULL, NULL, TRUE); + /* PR 17512: file: df8e1fd6. */ + if (relocs == NULL) + return (bfd_vma) -1; /* Go find the opd reloc at the sym address. */ lo = relocs; diff --git a/binutils/ChangeLog b/binutils/ChangeLog index a017c64..53ec072 100644 --- a/binutils/ChangeLog +++ b/binutils/ChangeLog @@ -4,6 +4,9 @@ * dlltool.c (identify_search_archive): If the last archive was the same as the current archive, terminate the loop. + * addr2line.c (slurp_symtab): If the symcount is zero, free the + symbol table pointer. + 2015-01-23 Nick Clifton * nlmconv.c (powerpc_mangle_relocs): Fix build errors introduced diff --git a/binutils/addr2line.c b/binutils/addr2line.c index d37145e..e121c74 100644 --- a/binutils/addr2line.c +++ b/binutils/addr2line.c @@ -140,6 +140,14 @@ slurp_symtab (bfd *abfd) syms = xmalloc (storage); symcount = bfd_canonicalize_dynamic_symtab (abfd, syms); } + + /* PR 17512: file: 2a1d3b5b. + Do not pretend that we have some symbols when we don't. */ + if (symcount <= 0) + { + free (syms); + syms = NULL; + } } /* These global variables are used to pass information between