[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Bug binutils/24644] OOM-Bug in _bfd_archive_64_bit_slurp_armap in bfd/a

From: alex at forallsecure dot com
Subject: [Bug binutils/24644] OOM-Bug in _bfd_archive_64_bit_slurp_armap in bfd/archive64.c
Date: Fri, 07 Jun 2019 21:32:11 +0000


--- Comment #2 from Alex Rebert <alex at forallsecure dot com> ---
Oops. Sorry about that. I saw
https://sourceware.org/bugzilla/show_bug.cgi?id=23361 and thought you were
interested in those.

FWIW, there are a few overflows in there, and the overflow checks don't catch
them all. I haven't been able to make it crash yet, but I have an input that
leads to calling bfd_bread on a small buffer with a very large size. Happy to
upload it if you're interested in it.

Details: When parsed_size=-1 and nsymz=2, the function allocates a 8-byte
symdefs array, while stringsize is 18446744073709551591). Since bfd_read calls
cache_bread, which takes a signed size which ends up being negative, no
overflow happens.

You are receiving this mail because:
You are on the CC list for the bug.

reply via email to

[Prev in Thread] Current Thread [Next in Thread]