Re: Stack BufferOverflow in readelf.c

bug-binutils

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Stack BufferOverflow in readelf.c

From:	Andreas Schwab
Subject:	Re: Stack BufferOverflow in readelf.c
Date:	Thu, 27 Apr 2023 19:50:54 +0200
User-agent:	Gnus/5.13 (Gnus v5.13)

On Apr 27 2023, 2ourc3 1er wrote:

> The function includes a declaration of a fixed-sized buffer, *char
> name_buf[40];*, which is used later in the function with the *sprintf*
> function:* sprintf* (*name_buf*, "<section 0x%x>",
>   (unsigned int) *psym->st_shndx*);
>
> The problem with this implementation is that the st_shndx argument used in
> sprintf is controlled by the user, and therefore, could be larger than the
> size of the buffer, leading to a Stack BufferOverflow on the buffer
> *name_buf.*

That is obviously impossible: psym->st_shndx can be at most 65535, so it
cannot be larger than 4 characters when formatted as a hexadecimal
number.

-- 
Andreas Schwab, schwab@linux-m68k.org
GPG Key fingerprint = 7578 EB47 D4E5 4D69 2510  2552 DF73 E780 A9DA AEC1
"And now for something completely different."

[Prev in Thread]

Current Thread

[Next in Thread]

Stack BufferOverflow in readelf.c, 2ourc3 1er, 2023/04/27
- Re: Stack BufferOverflow in readelf.c, Andreas Schwab <=

Prev by Date: Stack BufferOverflow in readelf.c
Next by Date: [Bug gas/12240] offset can't be used as label in Intel syntax
Previous by thread: Stack BufferOverflow in readelf.c
Next by thread: [Bug gas/12240] offset can't be used as label in Intel syntax
Index(es):
- Date
- Thread