From 07d22f648e56d7276fa7a4a73438005448c406fb Mon Sep 17 00:00:00 2001 From: Alan Modra Date: Mon, 29 Jun 2020 09:51:07 +0930 Subject: [PATCH] asan: _bfd_pei_slurp_codeview_record use of uninit value Fixes some seriously careless code. bfd_bread return value is (bfd_size_type)-1 on error. "if (bfd_bread (...) < 4)" does not check for an error since bfd_size_type is unsigned. In any case, I think we should be reading and checking the requested length. * peXXigen.c (_bfd_XXi_slurp_codeview_record): Properly check return value of bfd_bread. Don't read more than requested length. Sanity check length. Properly terminate file name. --- bfd/ChangeLog | 6 ++++++ bfd/peXXigen.c | 10 ++++++++-- 2 files changed, 14 insertions(+), 2 deletions(-) diff --git a/bfd/ChangeLog b/bfd/ChangeLog index 4a87b3bb5c2..1bf65c294d6 100644 --- a/bfd/ChangeLog +++ b/bfd/ChangeLog @@ -1,3 +1,9 @@ +2020-06-29 Alan Modra + + * peXXigen.c (_bfd_XXi_slurp_codeview_record): Properly check + return value of bfd_bread. Don't read more than requested length. + Sanity check length. Properly terminate file name. + 2020-06-29 Alan Modra * arc-got.h: Use C style comments. diff --git a/bfd/peXXigen.c b/bfd/peXXigen.c index b3b68085ddc..5149ef582bf 100644 --- a/bfd/peXXigen.c +++ b/bfd/peXXigen.c @@ -1147,15 +1147,21 @@ CODEVIEW_INFO * _bfd_XXi_slurp_codeview_record (bfd * abfd, file_ptr where, unsigned long length, CODEVIEW_INFO *cvinfo) { char buffer[256+1]; + bfd_size_type nread; if (bfd_seek (abfd, where, SEEK_SET) != 0) return NULL; - if (bfd_bread (buffer, 256, abfd) < 4) + if (length <= sizeof (CV_INFO_PDB70) && length <= sizeof (CV_INFO_PDB20)) + return NULL; + if (length > 256) + length = 256; + nread = bfd_bread (buffer, length, abfd); + if (length != nread) return NULL; /* Ensure null termination of filename. */ - buffer[256] = '\0'; + memset (buffer + nread, 0, sizeof (buffer) - nread); cvinfo->CVSignature = H_GET_32 (abfd, buffer); cvinfo->Age = 0;