Prevent a potential illegal memory access in readelf when parsing a note with a zero name size.

PR 24131 * readelf.c (process_notes_at): Prevent an illegal memory access when the note's namesize is zero. (decode_tic6x_unwind_bytecode): Add code to handle the case where no registers are specified in a frame pop instruction.
2024-12-20 07:43:36 +08:00 · 2019-01-25 13:16:06 +00:00 · 2019-01-25 13:16:06 +00:00 · 183445093e
commit 183445093e
parent 9ed1348c20
2 changed files with 28 additions and 13 deletions
--- a/binutils/ChangeLog
+++ b/binutils/ChangeLog
@ -1,3 +1,11 @@
+2019-01-25  Nick Clifton  <nickc@redhat.com>
+
+	PR 24131
+	* readelf.c (process_notes_at): Prevent an illegal memory access
+	when the note's namesize is zero.
+	(decode_tic6x_unwind_bytecode): Add code to handle the case where
+	no registers are specified in a frame pop instruction.
+
 2019-01-25  Nick Clifton  <nickc@redhat.com>

 	* po/bg.po: Updated Bulgarian translation.
--- a/binutils/readelf.c
+++ b/binutils/readelf.c
@ -8852,21 +8852,28 @@ decode_tic6x_unwind_bytecode (Filedata *                 filedata,
 	    }

 	  printf (_("pop frame {"));
-	  reg = nregs - 1;
-	  for (i = i * 2; i > 0; i--)
+	  if (nregs == 0)
 	    {
-	      if (regpos[reg].offset == i - 1)
+	      printf (_("*corrupt* - no registers specified"));
+	    }
+	  else
+	    {
+	      reg = nregs - 1;
+	      for (i = i * 2; i > 0; i--)
 		{
-		  name = tic6x_unwind_regnames[regpos[reg].reg];
-		  if (reg > 0)
-		    reg--;
-		}
-	      else
-		name = _("[pad]");
+		  if (regpos[reg].offset == i - 1)
+		    {
+		      name = tic6x_unwind_regnames[regpos[reg].reg];
+		      if (reg > 0)
+			reg--;
+		    }
+		  else
+		    name = _("[pad]");

-	      fputs (name, stdout);
-	      if (i > 1)
-		printf (", ");
+		  fputs (name, stdout);
+		  if (i > 1)
+		    printf (", ");
+		}
 	    }

 	  printf ("}");
@ -18741,7 +18748,7 @@ process_notes_at (Filedata *           filedata,
 	 one version of Linux (RedHat 6.0) generates corefiles that don't
 	 comply with the ELF spec by failing to include the null byte in
 	 namesz.  */
-      if (inote.namedata[inote.namesz - 1] != '\0')
+      if (inote.namesz > 0 && inote.namedata[inote.namesz - 1] != '\0')
 	{
 	  if ((size_t) (inote.descdata - inote.namedata) == inote.namesz)
 	    {