[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Bug binutils/19518] New: readelf - missing return value check in MIPS t
|
From: |
vpbalint at silentsignal dot hu |
|
Subject: |
[Bug binutils/19518] New: readelf - missing return value check in MIPS timestamp d_tag processing |
|
Date: |
Mon, 25 Jan 2016 12:41:23 +0000 |
https://sourceware.org/bugzilla/show_bug.cgi?id=19518
Bug ID: 19518
Summary: readelf - missing return value check in MIPS timestamp
d_tag processing
Product: binutils
Version: 2.24
Status: NEW
Severity: normal
Priority: P2
Component: binutils
Assignee: unassigned at sourceware dot org
Reporter: vpbalint at silentsignal dot hu
Target Milestone: ---
Created attachment 8923
--> https://sourceware.org/bugzilla/attachment.cgi?id=8923&action=edit
AFL generated test case
readelf tries to access invalid memory when parsing timestamp dtag entries from
MIPS binaries:
Relevant code from readelf.c:
static void
dynamic_section_mips_val (Elf_Internal_Dyn * entry)
{
switch (entry->d_tag)
{
// ...
case DT_MIPS_TIME_STAMP:
{
char timebuf[20];
struct tm * tmp;
time_t atime = entry->d_un.d_val;
tmp = gmtime (&atime);
snprintf (timebuf, sizeof (timebuf), "%04u-%02u-%02uT%02u:%02u:%02u",
tmp->tm_year + 1900, tmp->tm_mon + 1, tmp->tm_mday,
tmp->tm_hour, tmp->tm_min, tmp->tm_sec);
printf (_("Time Stamp: %s"), timebuf);
}
break;
// ...
Since tmp can be NULL if atime is invalid, the subsequent snprintf() call
results in a segmentation fault.
The attached binary can be used to reproduce the problem.
--
You are receiving this mail because:
You are on the CC list for the bug.
- [Bug binutils/19518] New: readelf - missing return value check in MIPS timestamp d_tag processing,
vpbalint at silentsignal dot hu <=