[Bug binutils/23061] objcopy segfault in coff_mangle_symbols

[nickc at redhat dot com]

https://sourceware.org/bugzilla/show_bug.cgi?id=23061

--- Comment #4 from Nick Clifton <nickc at redhat dot com> ---
(In reply to Tom Ritter from comment #3)

Hi Tom,

> However, looking at the patch, it seems to me that it just does a sanity
> check to prevent doing something that would be illegal.

Ah - you noticed...

> I had thought my
> input data was (supposedly) valid - but it seems that is not the case. Do
> you agree?

Well - I actually suspect that the problem is not that the data is illegal
per-se, but rather that there is too much of it.  Now don't quote me on this,
because this is just a feeling rather than a certainty, but I would guess that
firefox has so many symbols in it that they are filling up, and overflowing
a table somewhere.  (Or maybe an 32-bit offset is wrapping around and causing
problems that way).


> If you know, would you be able to tell me where in the file format (what
> fields, etc) this illegal data is? 

Well, the problem appears to be that the:

  auxent->u.auxent.x_sym.x_fcnary.x_fcn.x_endndx.l

field is ridiculously large, for the symbol that is causing the problems.
(There may be more than one symbol, I did not check).  Since this field
is initialised (in coffmangle_symbols) to:

  a->u.auxent.x_sym.x_fcnary.x_fcn.x_endndx.l =
    a->u.auxent.x_sym.x_fcnary.x_fcn.x_endndx.p->offset;

The implication is that the offset field has been computed incorrectly.

I have not traced the problem any further than this though.  (Please feel
free to do so yourself, of course).  My gut tells me that there are still
problems in this part of the BFD library.  But my boss tells me that there
are more important things to be working on at this time, so unless/until
another bug turns up, I will have to sideline any further investigations.

Cheers
  Nick

-- 
You are receiving this mail because:
You are on the CC list for the bug.