From d19237d98d5c227bc33693057eb466702386cdfb Mon Sep 17 00:00:00 2001 From: Nick Clifton Date: Thu, 22 Jun 2017 10:33:56 +0100 Subject: [PATCH] Fix address violation parsing a corrupt SOM binary. PR binutils/21649 * som.c (setup_sections): NUL terminate the space_strings buffer. Check that the space.name field does not index beyond the end of the space_strings buffer. --- bfd/ChangeLog | 7 +++++++ bfd/som.c | 9 +++++++-- 2 files changed, 14 insertions(+), 2 deletions(-) diff --git a/bfd/ChangeLog b/bfd/ChangeLog index b1cf4f9..57a07a5 100644 --- a/bfd/ChangeLog +++ b/bfd/ChangeLog @@ -1,3 +1,10 @@ +2017-06-22 Nick Clifton + + PR binutils/21649 + * som.c (setup_sections): NUL terminate the space_strings buffer. + Check that the space.name field does not index beyond the end of + the space_strings buffer. + 2017-06-21 Nick Clifton PR binutils/21646 diff --git a/bfd/som.c b/bfd/som.c index 8575c89..98c4124 100644 --- a/bfd/som.c +++ b/bfd/som.c @@ -2083,8 +2083,8 @@ setup_sections (bfd *abfd, /* First, read in space names. */ amt = file_hdr->space_strings_size; - space_strings = bfd_malloc (amt); - if (!space_strings && amt != 0) + space_strings = bfd_malloc (amt + 1); + if (space_strings == NULL && amt != 0) goto error_return; if (bfd_seek (abfd, current_offset + file_hdr->space_strings_location, @@ -2092,6 +2092,8 @@ setup_sections (bfd *abfd, goto error_return; if (bfd_bread (space_strings, amt, abfd) != amt) goto error_return; + /* Make sure that the string table is NUL terminated. */ + space_strings[amt] = 0; /* Loop over all of the space dictionaries, building up sections. */ for (space_index = 0; space_index < file_hdr->space_total; space_index++) @@ -2119,6 +2121,9 @@ setup_sections (bfd *abfd, som_swap_space_dictionary_in (&ext_space, &space); /* Setup the space name string. */ + if (space.name >= file_hdr->space_strings_size) + goto error_return; + space_name = space.name + space_strings; /* Make a section out of it. */ -- 2.7.4