|
From: | Nick Clifton |
Subject: | Re: found vuln in bfd lib Coff code |
Date: | Wed, 17 Aug 2005 18:50:03 +0100 |
User-agent: | Mozilla Thunderbird 1.0 (X11/20041206) |
Hi ICBM,
Found a new vuln in bfd lib coff code and similar with the last one...
In the do_slurp_coff_armap() funciton: static bfd_boolean do_slurp_coff_armap (bfd *abfd){ ¡carsym_size = (nsymz * sizeof (carsym)); //uses the nsymz from file ptrsize = (4 * nsymz); //integer overflow here¡ /* Allocate and read in the raw offsets. */ raw_armap = bfd_alloc (abfd, ptrsize); // allocate wrong memory size here if (raw_armap == NULL) goto release_symdefs; ¡ }
I do not understand why this can lead to a vulnerability. Even if the computation of "ptrsize" does overflow all that will happen is that the code will read in too little of the archive's map. The code in bfd_alloc() treats the size parameter as unsigned and it copes with a very large value which is too big to be allocated. So where is the vulnerability ?
Cheers Nick
[Prev in Thread] | Current Thread | [Next in Thread] |