[Bug binutils/20089] New: objcopy.c line 1130 has not size check before

bug-binutils

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Bug binutils/20089] New: objcopy.c line 1130 has not size check before

From:	ecular at 163 dot com
Subject:	[Bug binutils/20089] New: objcopy.c line 1130 has not size check before accessing isympp array.
Date:	Fri, 13 May 2016 10:16:47 +0000

https://sourceware.org/bugzilla/show_bug.cgi?id=20089

            Bug ID: 20089
           Summary: objcopy.c line 1130 has not size check before
                    accessing isympp array.
           Product: binutils
           Version: 2.26
            Status: NEW
          Severity: normal
          Priority: P2
         Component: binutils
          Assignee: unassigned at sourceware dot org
          Reporter: ecular at 163 dot com
  Target Milestone: ---

Created attachment 9255
  --> https://sourceware.org/bugzilla/attachment.cgi?id=9255&action=edit
run ./strip-new -s thisfile can case a strip-new crash.

Hi there, 

I crashed strip-new (with flag -s) with the file attached.
It is because an invalid access at objcopy.c line 1130 in group_signature()
when ghdr->sh_info = 0.


if (symhdr->sh_type == SHT_SYMTAB
 && ghdr->sh_info < symhdr->sh_size / bed->s->sizeof_sym)
return isympp[ghdr->sh_info - 1];



The gdb output like this:

Program received signal SIGSEGV, Segmentation fault.
0x000000000041a98f in group_signature (group=0xb2ce20, group=0xb2ce20) at
objcopy.c:1130
1130            return isympp[ghdr->sh_info - 1];
(gdb) bt
#0  0x000000000041a98f in group_signature (group=0xb2ce20, group=0xb2ce20) at
objcopy.c:1130
#1  is_strip_section (address@hidden, abfd=0xb2bc40) at objcopy.c:1240
#2  0x0000000000429757 in setup_section (ibfd=0xb2bc40, isection=0xb2ce20,
obfdarg=0xb2f000) at objcopy.c:2967
#3  0x00000000004fb4b4 in bfd_map_over_sections (address@hidden,
address@hidden <setup_section>, 
    address@hidden) at section.c:1392
#4  0x000000000041ef34 in copy_object (address@hidden,
address@hidden, address@hidden) at objcopy.c:1996
#5  0x000000000042907e in copy_object (input_arch=0x0, obfd=0xb2f000,
ibfd=0xb2bc40) at objcopy.c:1810
#6  copy_file (input_filename=0x7fffffffe731
"id:000001,sig:11,src:001587,op:havoc,rep:4", 
    address@hidden "stAHEPxQ",
address@hidden, output_target=<optimized out>, 
    address@hidden, address@hidden) at objcopy.c:2817
#7  0x00000000004113e6 in strip_main (argv=<optimized out>, argc=<optimized
out>) at objcopy.c:3680
#8  main (argc=3, argv=0x7fffffffe498) at objcopy.c:4766
(gdb) print ghdr->sh_info
$1 = 0

-- 
You are receiving this mail because:
You are on the CC list for the bug.

[Prev in Thread]

Current Thread

[Next in Thread]

[Bug binutils/20089] New: objcopy.c line 1130 has not size check before accessing isympp array., ecular at 163 dot com <=
- [Bug binutils/20089] stripe-new crashed because of a Access Violation Fault., ecular at 163 dot com, 2016/05/15
- [Bug binutils/20089] stripe-new crashed because of an Access Violation Fault., ecular at 163 dot com, 2016/05/15

Prev by Date: [Bug binutils/20088] Can not supported architectures armv7m(arm-none-eabi-objdump)
Next by Date: [Bug ld/20090] New: [Fix] clang fail on LTO phase with BFD linker (+patch)
Previous by thread: [Bug binutils/20088] New: Can not supported architectures armv7m(arm-none-eabi-objdump)
Next by thread: [Bug binutils/20089] stripe-new crashed because of a Access Violation Fault.
Index(es):
- Date
- Thread