[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Bug binutils/24427] New: bfd/doc/chew.c reads uninitialized memory and
|
From: |
mforney at mforney dot org |
|
Subject: |
[Bug binutils/24427] New: bfd/doc/chew.c reads uninitialized memory and subtracts from function pointer |
|
Date: |
Tue, 09 Apr 2019 00:58:37 +0000 |
https://sourceware.org/bugzilla/show_bug.cgi?id=24427
Bug ID: 24427
Summary: bfd/doc/chew.c reads uninitialized memory and
subtracts from function pointer
Product: binutils
Version: 2.33 (HEAD)
Status: UNCONFIRMED
Severity: minor
Priority: P2
Component: binutils
Assignee: unassigned at sourceware dot org
Reporter: mforney at mforney dot org
Target Milestone: ---
Created attachment 11726
--> https://sourceware.org/bugzilla/attachment.cgi?id=11726&action=edit
Patch fixing the issues
I noticed a couple minor problems in free_words() in bfd/doc/chew.c.
First, it looks like `code_length` stores the length of the allocated `code`
array and `code_end` is how many elements are initialized. However, the loop in
free_words() accesses elements up to `code_length`, and the last one might be
uninitialized (since they are allocated in multiples of 2).
Second, when computing the address of the word to free, it uses the expression
`ptr->code[i + 1] - 1`. Since `code` is an array of function pointers, this
subtraction is invalid (left operand must be pointer to complete *object*
type).
The attached patch fixes both of these issues.
--
You are receiving this mail because:
You are on the CC list for the bug.
- [Bug binutils/24427] New: bfd/doc/chew.c reads uninitialized memory and subtracts from function pointer,
mforney at mforney dot org <=