[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Bug binutils/17605] New: ar crashes on malformed archive
|
From: |
cherepan at mccme dot ru |
|
Subject: |
[Bug binutils/17605] New: ar crashes on malformed archive |
|
Date: |
Sun, 16 Nov 2014 15:16:25 +0000 |
https://sourceware.org/bugzilla/show_bug.cgi?id=17605
Bug ID: 17605
Summary: ar crashes on malformed archive
Product: binutils
Version: 2.26 (HEAD)
Status: NEW
Severity: normal
Priority: P2
Component: binutils
Assignee: unassigned at sourceware dot org
Reporter: cherepan at mccme dot ru
Test:
$ printf '!<arch>\n%16s%-32s%-10s`\n' '' 100000000000000000 0 > test.a
$ ar tv test.a
Segmentation fault
It crashes inside binutils-gdb/binutils/bucomm.c:
424 if (bfd_stat_arch_elt (abfd, &buf) == 0)
425 {
426 char modebuf[11];
427 char timebuf[40];
428 time_t when = buf.st_mtime;
429 const char *ctime_result = (const char *) ctime (&when);
430 bfd_size_type size;
431
432 /* POSIX format: skip weekday and seconds from ctime output.
*/
433 sprintf (timebuf, "%.12s %.4s", ctime_result + 4,
ctime_result + 20);
'when' is too big, 'ctime' returns 0, which gets derefenced inside sprintf.
Seems not to be exploitable.
Found with American Fuzzy Lop.
--
You are receiving this mail because:
You are on the CC list for the bug.
- [Bug binutils/17605] New: ar crashes on malformed archive,
cherepan at mccme dot ru <=