From 86eafac0aad7edbc1ccea6daf53480a36339250a Mon Sep 17 00:00:00 2001 From: Nick Clifton Date: Wed, 21 Jan 2015 17:37:23 +0000 Subject: Fix memory access violations triggered by running strip on fuzzed binaries. PR binutils/17512 * coffcode.h (coff_set_arch_mach_hook): Check return value from bfd_malloc. (coff_slurp_line_table): Return FALSE if the line number information was corrupt. (coff_slurp_symbol_table): Return FALSE if the symbol information was corrupt. * mach-o.c (bfd_mach_o_bfd_copy_private_header_data): Always initialise the fields of the dyld_info structure. (bfd_mach_o_build_exec_seg_command): Replace assertion with an error message and a return value. (bfd_mach_o_layout_commands): Change the function to boolean. Return FALSE if the function fails. (bfd_mach_o_build_commands): Fail if bfd_mach_o_layout_commands fails. (bfd_mach_o_read_command): Fail if an unrecognised command is encountered. * peXXigen.c (_bfd_XXi_swap_aouthdr_in): Set bfd_error if the read fails. (slurp_symtab): Check the return from bfd_malloc. (_bfd_XX_bfd_copy_private_bfd_data_common): Fail if the copy encountered an error. (_bfd_XXi_final_link_postscript): Fail if a section could not be copied. * peicode.h (pe_bfd_object_p): Fail if the header could not be swapped in. * tekhex.c (first_phase): Fail if the section is too big. * versados.c (struct esdid): Add content_size field. (process_otr): Use and check the new field. (versados_get_section_contents): Check that the section exists and that the requested data is available. PR binutils/17512 * addr2line.c (main): Call bfd_set_error_program_name. * ar.c (main): Likewise. * coffdump.c (main): Likewise. * cxxfilt.c (main): Likewise. * dlltool.c (main): Likewise. * nlmconv.c (main): Likewise. * nm.c (main): Likewise. * objdump.c (main): Likewise. * size.c (main): Likewise. * srconv.c (main): Likewise. * strings.c (main): Likewise. * sysdump.c (main): Likewise. * windmc.c (main): Likewise. * windres.c (main): Likewise. * objcopy.c (main): Likewise. (copy_relocations_in_section): Check for relocs without associated symbol pointers. --- bfd/peXXigen.c | 20 ++++++++++++++++++-- 1 file changed, 18 insertions(+), 2 deletions(-) (limited to 'bfd/peXXigen.c') diff --git a/bfd/peXXigen.c b/bfd/peXXigen.c index 0abe609f2e..122ddf1256 100644 --- a/bfd/peXXigen.c +++ b/bfd/peXXigen.c @@ -526,6 +526,8 @@ _bfd_XXi_swap_aouthdr_in (bfd * abfd, (*_bfd_error_handler) (_("%B: aout header specifies an invalid number of data-directory entries: %d"), abfd, a->NumberOfRvaAndSizes); + bfd_set_error (bfd_error_bad_value); + /* Paranoia: If the number is corrupt, then assume that the actual entries themselves might be corrupt as well. */ a->NumberOfRvaAndSizes = 0; @@ -2007,7 +2009,11 @@ slurp_symtab (bfd *abfd, sym_cache *psc) if (storage < 0) return NULL; if (storage) - sy = (asymbol **) bfd_malloc (storage); + { + sy = (asymbol **) bfd_malloc (storage); + if (sy == NULL) + return NULL; + } psc->symcount = bfd_canonicalize_symtab (abfd, sy); if (psc->symcount < 0) @@ -2963,8 +2969,16 @@ _bfd_XX_bfd_copy_private_bfd_data_common (bfd * ibfd, bfd * obfd) } if (!bfd_set_section_contents (obfd, section, data, 0, section->size)) - _bfd_error_handler (_("Failed to update file offsets in debug directory")); + { + _bfd_error_handler (_("Failed to update file offsets in debug directory")); + return FALSE; + } } + else if (section) + { + _bfd_error_handler (_("%A: Failed to read debug data section"), obfd); + return FALSE; + } } return TRUE; @@ -4475,6 +4489,8 @@ _bfd_XXi_final_link_postscript (bfd * abfd, struct coff_final_link_info *pfinfo) } free (tmp_data); } + else + result = FALSE; } } #endif -- cgit v1.2.3