[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: found vuln in bfd lib Coff code

From: Nick Clifton
Subject: Re: found vuln in bfd lib Coff code
Date: Wed, 17 Aug 2005 18:50:03 +0100
User-agent: Mozilla Thunderbird 1.0 (X11/20041206)


Found a new vuln in bfd lib coff code and similar with the last one...

        In the do_slurp_coff_armap() funciton:

        static bfd_boolean
        do_slurp_coff_armap (bfd *abfd){
carsym_size = (nsymz * sizeof (carsym)); //uses the nsymz from file ptrsize = (4 * nsymz); //integer overflow here
        /* Allocate and read in the raw offsets.  */
          raw_armap = bfd_alloc (abfd, ptrsize);  // allocate wrong memory size 
          if (raw_armap == NULL)
            goto release_symdefs;

I do not understand why this can lead to a vulnerability. Even if the computation of "ptrsize" does overflow all that will happen is that the code will read in too little of the archive's map. The code in bfd_alloc() treats the size parameter as unsigned and it copes with a very large value which is too big to be allocated. So where is the vulnerability ?


reply via email to

[Prev in Thread] Current Thread [Next in Thread]