[Bug binutils/13300] New: out-of-bounds memcpy in peXXigen.c

[Pascal.Stumpf at cubes dot de]

http://sourceware.org/bugzilla/show_bug.cgi?id=13300

             Bug #: 13300
           Summary: out-of-bounds memcpy in peXXigen.c
           Product: binutils
           Version: unspecified
            Status: NEW
          Severity: normal
          Priority: P2
         Component: binutils
        AssignedTo: address@hidden
        ReportedBy: address@hidden
    Classification: Unclassified


In bfd, peXXigen.c, lines 252 and 326, a memcpy is done to a buffer of size 14
(declared in coff/internal.h) with a length of FILNMLEN. FILNMLEN is defined as
14 in coff/internal.h, however it is redefined in coff/pe.h as 18 (included
after coff/internal.h). So the memcpy will attempt to copy 18 bytes into a
14-byte buffer. (This was caught by the -Wbounded flag for gcc on OpenBSD.)

I don't have much insight on the motivation behind having different definitions
for FILNMLEN/E_FILNMLEN, but it probably should be defined consistently as
either 14 or 18 to avoid confusion. Or even better, define it in *one* place
instead of so many.

-- 
Configure bugmail: http://sourceware.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.