bug-binutils
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Bug binutils/22895] New: integer overflow in read_attribute_value

From: luanjunchao at 163 dot com
Subject: [Bug binutils/22895] New: integer overflow in read_attribute_value
Date: Mon, 26 Feb 2018 03:43:25 +0000 
https://sourceware.org/bugzilla/show_bug.cgi?id=22895

            Bug ID: 22895
           Summary: integer overflow in  read_attribute_value
           Product: binutils
           Version: 2.31 (HEAD)
            Status: UNCONFIRMED
          Severity: normal
          Priority: P2
         Component: binutils
          Assignee: unassigned at sourceware dot org
          Reporter: luanjunchao at 163 dot com
  Target Milestone: ---

The command I test is "nm-new -A -a -l -S -s --special-syms --synthetic
--with-symbol-versions -D $POC".

In function read_attribute_value in dwarf2.c:1175:

case DW_FORM_block:
      amt = sizeof (struct dwarf_block);
      blk = (struct dwarf_block *) bfd_alloc (abfd, amt);
      if (blk == NULL)
        return NULL;
      blk->size = _bfd_safe_read_leb128 (abfd, info_ptr, &bytes_read,
                                         FALSE, info_ptr_end);
      info_ptr += bytes_read;
      blk->data = read_n_bytes (abfd, info_ptr, info_ptr_end, blk->size);
      info_ptr += blk->size;
      attr->u.blk = blk;
      break;

I find a case where blk->size is large enough to lead to integer overflow of
info_ptr.
The POC file is
https://github.com/skysider/FuzzVuln/blob/master/binutils_nm_integer_overflow_read_attribute_value.elf

-- 
You are receiving this mail because:
You are on the CC list for the bug.
reply via email to
[Prev in Thread] Current Thread [Next in Thread]