bug-binutils
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

two patches for bugs in BFD/peXXigen.c


From: Marcus Brinkmann
Subject: two patches for bugs in BFD/peXXigen.c
Date: 3 Sep 2010 01:24:34 +0200
User-agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.1.11) Gecko/20100713 Thunderbird/3.0.6

Hi,

while working on free software ports to Windows CE I noticed two bugs in
binutils' BFD support for some PE files (for example, kmail-mobile.exe built
with MSVC).  Fixes for both are included below.  Copyright assignments by g10
Code GmbH are on file at the FSF.  If you need anything else, just let me
know.  The file that triggers these bugs can be found at:

ftp://ftp.g10code.com/people/marcus/kmail-mobile-binutils-test.exe.gz

The first issue concerns import tables where the thunk table is found in a
different section.  In this case, BFD tries to load DATASIZE bytes from that
section at the beginning of the thunk array, but DATASIZE is the remaining
bytes in the import table section starting from the beginning of the import
table.  This number is in no way related to the size of the thunk table or the
section in which this thunk table is to be found.  So, my patch introduces a
new size, limit_size, which is correctly calculated and used in the
appropriate places.  Without the patch, no import symbols would be shown for
kmail-mobile.exe (Visual Studio 2008, Windows CE), because the data section is
in this case not large enough to read DATASIZE bytes from it.  With the patch,
loading LIMIT_SIZE bytes succeeds and all import symbols are shown correctly.

The second issue concerns the support for compressed pdata support for Windows
CE.  In this code is a simple memory leak.  First, the whole section is
malloced and copied to TDATA, then immediately TDATA is overwritten with a
much smaller buffer to which only the required section data is copied, leaking
memory in the size of the section for each entry in the table.  For
kmail-mobile.exe, the table is very large (hundreds of entries), leaking
Gigabytes of memory quickly and basically creating denial of service attack.

Thanks a lot,
Marcus Brinkmann
address@hidden

--
g10 Code GmbH       http://g10code.com      AmtsGer. Wuppertal HRB 14459
Hüttenstr. 61                               Geschäftsführung Werner Koch
D-40699 Erkrath  -=- The GnuPG Experts -=-  USt-Id DE215605608

Attachment: 01-idata.patch
Description: Text Data

Attachment: 02-pdata.patch
Description: Text Data


reply via email to

[Prev in Thread] Current Thread [Next in Thread]