Hi ICBM,

Found a new vuln in bfd lib coff code and similar with the last one...
        In the do_slurp_coff_armap() funciton:

        static bfd_boolean
        do_slurp_coff_armap (bfd *abfd){
        ¡­
        
carsym_size = (nsymz * sizeof (carsym)); //uses the nsymz from file ptrsize = (4 * nsymz); //integer overflow here
        ¡­
        /* Allocate and read in the raw offsets.  */
          raw_armap = bfd_alloc (abfd, ptrsize);  // allocate wrong memory size 
here
          if (raw_armap == NULL)
            goto release_symdefs;
        ¡­
        }
I do not understand why this can lead to a vulnerability.  Even if the 
computation of "ptrsize" does overflow all that will happen is that the 
code will read in too little of the archive's map.  The code in 
bfd_alloc() treats the size parameter as unsigned and it copes with a 
very large value which is too big to be allocated.  So where is the 
vulnerability ?
Cheers
  Nick


_______________________________________________
bug-binutils mailing list
bug-binutils@gnu.org
http://lists.gnu.org/mailman/listinfo/bug-binutils

Reply via email to