[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
libbfd bug: Segfault interpreting a header string
From: |
Matt Davis |
Subject: |
libbfd bug: Segfault interpreting a header string |
Date: |
Wed, 27 Aug 2014 23:11:41 -0700 |
I found an interesting bug in libbfd distributed in binutils-2.24.
The following bug triggers a segfault in srec.c at line 576 where data
is being dereferenced by the HEX macro. In my case, data was '0' and
thus dereferencing a 0 is pretty painful. This can be triggered by
the following text file:
[enferex:bfd]$ cat << EOF > ohcrap.txt
> S700
> EOF
Running strings (or other libbfd based utilities) on that file will
trigger a segfault. I have attached a patch that should cause
srec_scan() to gracefully exit. In this case libbfd thinks that the
input file is a S record, and then checks one of the zeros as a value
representing a byte-size. This patch just does a conservative check
and bails out on 0.
-Matt
libbfd-2.24-fix-zerobyte-deref.patch
Description: Text Data
- libbfd bug: Segfault interpreting a header string,
Matt Davis <=