From 8abac8031ed369a2734b1cdb7df28a39a54b4b49 Mon Sep 17 00:00:00 2001 From: Alan Modra <amodra@gmail.com> Date: Wed, 20 Feb 2019 08:21:24 +1030 Subject: [PATCH] PR24236, Heap buffer overflow in _bfd_archive_64_bit_slurp_armap PR 24236 * archive64.c (_bfd_archive_64_bit_slurp_armap): Move code adding sentinel NUL to string buffer nearer to loop where it is used. Don't go past sentinel when scanning strings, and don't write NUL again. * archive.c (do_slurp_coff_armap): Simplify string handling to archive64.c style. --- bfd/archive.c | 17 +++++++---------- bfd/archive64.c | 10 +++++----- 3 files changed, 22 insertions(+), 15 deletions(-) diff --git a/bfd/archive.c b/bfd/archive.c index d2d9b72..68a92a3 100644 --- a/bfd/archive.c +++ b/bfd/archive.c @@ -1012,6 +1012,7 @@ do_slurp_coff_armap (bfd *abfd) int *raw_armap, *rawptr; struct artdata *ardata = bfd_ardata (abfd); char *stringbase; + char *stringend; bfd_size_type stringsize; bfd_size_type parsed_size; carsym *carsyms; @@ -1071,22 +1072,18 @@ do_slurp_coff_armap (bfd *abfd) } /* OK, build the carsyms. */ - for (i = 0; i < nsymz && stringsize > 0; i++) + stringend = stringbase + stringsize; + *stringend = 0; + for (i = 0; i < nsymz; i++) { - bfd_size_type len; - rawptr = raw_armap + i; carsyms->file_offset = swap ((bfd_byte *) rawptr); carsyms->name = stringbase; - /* PR 17512: file: 4a1d50c1. */ - len = strnlen (stringbase, stringsize); - if (len < stringsize) - len ++; - stringbase += len; - stringsize -= len; + stringbase += strlen (stringbase); + if (stringbase != stringend) + ++stringbase; carsyms++; } - *stringbase = 0; ardata->symdef_count = nsymz; ardata->first_file_filepos = bfd_tell (abfd); diff --git a/bfd/archive64.c b/bfd/archive64.c index 312bf82..42f6ed9 100644 --- a/bfd/archive64.c +++ b/bfd/archive64.c @@ -100,8 +100,6 @@ _bfd_archive_64_bit_slurp_armap (bfd *abfd) return FALSE; carsyms = ardata->symdefs; stringbase = ((char *) ardata->symdefs) + carsym_size; - stringbase[stringsize] = 0; - stringend = stringbase + stringsize; raw_armap = (bfd_byte *) bfd_alloc (abfd, ptrsize); if (raw_armap == NULL) @@ -115,15 +113,17 @@ _bfd_archive_64_bit_slurp_armap (bfd *abfd) goto release_raw_armap; } + stringend = stringbase + stringsize; + *stringend = 0; for (i = 0; i < nsymz; i++) { carsyms->file_offset = bfd_getb64 (raw_armap + i * 8); carsyms->name = stringbase; - if (stringbase < stringend) - stringbase += strlen (stringbase) + 1; + stringbase += strlen (stringbase); + if (stringbase != stringend) + ++stringbase; ++carsyms; } - *stringbase = '\0'; ardata->symdef_count = nsymz; ardata->first_file_filepos = bfd_tell (abfd); -- 2.9.3