[Bug binutils/21786] Stack-buffer-overflow in {coff,coff64}-rs6000.c

[nickc at redhat dot com]

https://sourceware.org/bugzilla/show_bug.cgi?id=21786

Nick Clifton <nickc at redhat dot com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|UNCONFIRMED                 |RESOLVED
                 CC|                            |nickc at redhat dot com
         Resolution|---                         |FIXED

--- Comment #4 from Nick Clifton <nickc at redhat dot com> ---
Hi Ned,

  Thanks for reporting this bug.  Unfortunately the patch you proposed will
  not work as the numeric strings in the archive header structure are not
  guaranteed to be NUL terminated.  In fact the specification explicitly
  states:

    16 Archive Member Headers
    Each member (linker, longnames, or object-file member) is preceded 
    by a header.  An archive member header has the following format, 
    in which each field is an ASCII text string that is left justified
    and padded with spaces to the end of the field.  There is no 
    terminating null character in any of these fields.

  This is from "Microsoft Portable Executable and Common Object File 
  Format Specification Revision 8.3 – February 6, 2013"

  So whilst there *might* be a space at the end of the field there definitely
  will not be a NUL character.

  The alternative is to copy the field into a NUL terminated buffer before
  attempting to parse it, and this is what I have done with the patch
  recently committed.  As a bonus I also fixed up the places where strtoll
  (instead of strtol) should have been used to read 20 character numeric 
  values.

Cheers
  Nick

-- 
You are receiving this mail because:
You are on the CC list for the bug.