[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Bug binutils/13300] New: out-of-bounds memcpy in peXXigen.c
From: |
Pascal.Stumpf at cubes dot de |
Subject: |
[Bug binutils/13300] New: out-of-bounds memcpy in peXXigen.c |
Date: |
Sat, 15 Oct 2011 18:05:12 +0000 |
http://sourceware.org/bugzilla/show_bug.cgi?id=13300
Bug #: 13300
Summary: out-of-bounds memcpy in peXXigen.c
Product: binutils
Version: unspecified
Status: NEW
Severity: normal
Priority: P2
Component: binutils
AssignedTo: address@hidden
ReportedBy: address@hidden
Classification: Unclassified
In bfd, peXXigen.c, lines 252 and 326, a memcpy is done to a buffer of size 14
(declared in coff/internal.h) with a length of FILNMLEN. FILNMLEN is defined as
14 in coff/internal.h, however it is redefined in coff/pe.h as 18 (included
after coff/internal.h). So the memcpy will attempt to copy 18 bytes into a
14-byte buffer. (This was caught by the -Wbounded flag for gcc on OpenBSD.)
I don't have much insight on the motivation behind having different definitions
for FILNMLEN/E_FILNMLEN, but it probably should be defined consistently as
either 14 or 18 to avoid confusion. Or even better, define it in *one* place
instead of so many.
--
Configure bugmail: http://sourceware.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.
- [Bug binutils/13300] New: out-of-bounds memcpy in peXXigen.c,
Pascal.Stumpf at cubes dot de <=