[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Bug binutils/24644] OOM-Bug in _bfd_archive_64_bit_slurp_armap in bfd/a
|
From: |
alex at forallsecure dot com |
|
Subject: |
[Bug binutils/24644] OOM-Bug in _bfd_archive_64_bit_slurp_armap in bfd/archive64.c |
|
Date: |
Fri, 07 Jun 2019 21:32:11 +0000 |
https://sourceware.org/bugzilla/show_bug.cgi?id=24644
--- Comment #2 from Alex Rebert <alex at forallsecure dot com> ---
Oops. Sorry about that. I saw
https://sourceware.org/bugzilla/show_bug.cgi?id=23361 and thought you were
interested in those.
FWIW, there are a few overflows in there, and the overflow checks don't catch
them all. I haven't been able to make it crash yet, but I have an input that
leads to calling bfd_bread on a small buffer with a very large size. Happy to
upload it if you're interested in it.
Details: When parsed_size=-1 and nsymz=2, the function allocates a 8-byte
symdefs array, while stringsize is 18446744073709551591). Since bfd_read calls
cache_bread, which takes a signed size which ends up being negative, no
overflow happens.
--
You are receiving this mail because:
You are on the CC list for the bug.