[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

libbfd bug: Segfault interpreting a header string

From: Matt Davis
Subject: libbfd bug: Segfault interpreting a header string
Date: Wed, 27 Aug 2014 23:11:41 -0700

I found an interesting bug in libbfd distributed in binutils-2.24.
The following bug triggers a segfault in srec.c at line 576 where data
is being dereferenced by the HEX macro.  In my case, data was '0' and
thus dereferencing a 0 is pretty painful.  This can be triggered by
the following text file:

[enferex:bfd]$ cat << EOF > ohcrap.txt
> S700

Running strings (or other libbfd based utilities) on that file will
trigger a segfault.  I have attached a patch that should cause
srec_scan() to gracefully exit. In this case libbfd thinks that the
input file is a S record, and then checks one of the zeros as a value
representing a byte-size.  This patch just does a conservative check
and bails out on 0.


Attachment: libbfd-2.24-fix-zerobyte-deref.patch
Description: Text Data

reply via email to

[Prev in Thread] Current Thread [Next in Thread]