PR26337, Malloc size error in objdump

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

PR26337, Malloc size error in objdump

Sourceware - binutils list mailing list
A malloc failure triggered by a fuzzed object file isn't a real
problem unless objdump doesn't exit cleanly after the failure, which
it does.  However we have bfd_malloc_and_get_section to sanity check
size of uncompressed sections before allocating memory.  Use it.

        PR 26337
        * objdump.c (load_specific_debug_section): Don't malloc space for
        section contents, use bfd_malloc_and_get_section.

diff --git a/binutils/objdump.c b/binutils/objdump.c
index 79ef051856..1b48cd3efd 100644
--- a/binutils/objdump.c
+++ b/binutils/objdump.c
@@ -3545,6 +3545,7 @@ load_specific_debug_section (enum dwarf_section_display_enum debug,
       if (streq (section->filename, bfd_get_filename (abfd)))
  return TRUE;
       free (section->start);
+      section->start = NULL;
     }
 
   section->filename = bfd_get_filename (abfd);
@@ -3557,22 +3558,20 @@ load_specific_debug_section (enum dwarf_section_display_enum debug,
   alloced = amt = section->size + 1;
   if (alloced != amt || alloced == 0)
     {
-      section->start = NULL;
       free_debug_section (debug);
       printf (_("\nSection '%s' has an invalid size: %#llx.\n"),
       sanitize_string (section->name),
       (unsigned long long) section->size);
       return FALSE;
     }
-  section->start = contents = malloc (alloced);
-  if (section->start == NULL
-      || !bfd_get_full_section_contents (abfd, sec, &contents))
+  if (!bfd_malloc_and_get_section (abfd, sec, &contents))
     {
       free_debug_section (debug);
       printf (_("\nCan't get contents for section '%s'.\n"),
       sanitize_string (section->name));
       return FALSE;
     }
+  section->start = contents;
   /* Ensure any string section has a terminating NUL.  */
   section->start[section->size] = 0;
 

--
Alan Modra
Australia Development Lab, IBM
Reply | Threaded
Open this post in threaded view
|

Re: PR26337, Malloc size error in objdump

Sourceware - binutils list mailing list
On Wed, Aug 05, 2020 at 10:42:49AM +0930, Alan Modra wrote:
> A malloc failure triggered by a fuzzed object file isn't a real
> problem unless objdump doesn't exit cleanly after the failure, which
> it does.  However we have bfd_malloc_and_get_section to sanity check
> size of uncompressed sections before allocating memory.  Use it.
>
> PR 26337
> * objdump.c (load_specific_debug_section): Don't malloc space for
> section contents, use bfd_malloc_and_get_section.

Oops, I messed that up.  Reverting.

> +  section->start = contents;
>    /* Ensure any string section has a terminating NUL.  */
>    section->start[section->size] = 0;

Since we want one extra byte here.

--
Alan Modra
Australia Development Lab, IBM