[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Bug binutils/15213] New: process_extended_line_op overflow
From: |
paul.marinescu at imperial dot ac.uk |
Subject: |
[Bug binutils/15213] New: process_extended_line_op overflow |
Date: |
Thu, 28 Feb 2013 13:35:42 +0000 |
http://sourceware.org/bugzilla/show_bug.cgi?id=15213
Bug #: 15213
Summary: process_extended_line_op overflow
Product: binutils
Version: 2.23
Status: NEW
Severity: normal
Priority: P2
Component: binutils
AssignedTo: address@hidden
ReportedBy: address@hidden
Classification: Unclassified
Created attachment 6907
--> http://sourceware.org/bugzilla/attachment.cgi?id=6907
valgrind objdump -Wl extlineop.o
process_extended_line_op (dwarf.c) may overflow its unsigned char *data
argument. This can happen because it only detects the end of the buffer by its
contents, which are not previously validated. The function could perform better
error checking if it would also receive the allocated size of the buffer.
An example input triggering an overflow is attached, along with valgrind
output:
==6131== Memcheck, a memory error detector
==6131== Copyright (C) 2002-2010, and GNU GPL'd, by Julian Seward et al.
==6131== Using Valgrind-3.6.1 and LibVEX; rerun with -h for copyright info
==6131== Command: /home/pdm/binutils/binutils/objdump -Wl extlineop.o
==6131==
extlineop.o: file format elf64-x86-64
Raw dump of debug contents of section .debug_line:
Offset: 0x0
Length: 62
DWARF Version: 2
Prologue Length: 35
Minimum Instruction Length: 1
Initial value of 'is_stmt': 1
Line Base: 1
Line Range: 1
Opcode Base: 16
Opcodes:
Opcode 1 has 0 args
Opcode 2 has 1 args
Opcode 3 has 1 args
Opcode 4 has 1 args
Opcode 5 has 1 args
Opcode 6 has 0 args
Opcode 7 has 0 args
Opcode 8 has 0 args
Opcode 9 has 1 args
Opcode 10 has 0 args
Opcode 11 has 0 args
Opcode 12 has 1 args
Opcode 13 has 0 args
Opcode 14 has 0 args
Opcode 15 has 0 args
The Directory Table is empty.
The File Name Table:
Entry Dir Time Size Name
1 0 0 0 file1.txt
Line Number Statements:
Extended opcode 2: set Address to 0x4
Advance Line by 3 to 4
Copy
Copy
Extended opcode 2: set Address to 0x8
==6131== Invalid read of size 1
==6131== at 0x40BC80: display_debug_lines (dwarf.c:423)
==6131== by 0x407D55: dump_dwarf_section (objdump.c:2364)
==6131== by 0x445D8B: bfd_map_over_sections (section.c:1330)
==6131== by 0x4068A2: dump_dwarf (objdump.c:2411)
==6131== by 0x406CCF: dump_bfd (objdump.c:3242)
==6131== by 0x407477: display_any_bfd (objdump.c:3329)
==6131== by 0x4079B7: display_file.part.3 (objdump.c:3404)
==6131== by 0x4084C6: main (objdump.c:3393)
==6131== Address 0x4c2bab2 is 0 bytes after a block of size 66 alloc'd
==6131== at 0x4A074CD: malloc (vg_replace_malloc.c:236)
==6131== by 0x443575: bfd_malloc (libbfd.c:183)
==6131== by 0x4541C7: bfd_get_full_section_contents (compress.c:181)
==6131== by 0x407AD3: load_specific_debug_section (objdump.c:2264)
==6131== by 0x407D3C: dump_dwarf_section (objdump.c:2361)
==6131== by 0x445D8B: bfd_map_over_sections (section.c:1330)
==6131== by 0x4068A2: dump_dwarf (objdump.c:2411)
==6131== by 0x406CCF: dump_bfd (objdump.c:3242)
==6131== by 0x407477: display_any_bfd (objdump.c:3329)
==6131== by 0x4079B7: display_file.part.3 (objdump.c:3404)
==6131== by 0x4084C6: main (objdump.c:3393)
==6131==
Extended opcode 0: UNKNOWN: length 1 [ 00]
==6131==
==6131== HEAP SUMMARY:
==6131== in use at exit: 0 bytes in 0 blocks
==6131== total heap usage: 119 allocs, 119 frees, 65,486 bytes allocated
==6131==
==6131== All heap blocks were freed -- no leaks are possible
==6131==
==6131== For counts of detected and suppressed errors, rerun with: -v
==6131== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 2 from 2)
--
Configure bugmail: http://sourceware.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.
[Prev in Thread] |
Current Thread |
[Next in Thread] |
- [Bug binutils/15213] New: process_extended_line_op overflow,
paul.marinescu at imperial dot ac.uk <=