I found an interesting bug in libbfd distributed in binutils-2.24.
The following bug triggers a segfault in srec.c at line 576 where data
is being dereferenced by the HEX macro. In my case, data was '0' and
thus dereferencing a 0 is pretty painful. This can be triggered by
the following text file:
[enferex:bfd]$ cat << EOF > ohcrap.txt
> S700
> EOF
Running strings (or other libbfd based utilities) on that file will
trigger a segfault. I have attached a patch that should cause
srec_scan() to gracefully exit. In this case libbfd thinks that the
input file is a S record, and then checks one of the zeros as a value
representing a byte-size. This patch just does a conservative check
and bails out on 0.
-Matt
--- binutils-2.24-orig/bfd/srec.c 2013-11-04 07:33:37.000000000 -0800
+++ binutils-2.24-fix/bfd/srec.c 2014-08-27 22:28:07.169123490 -0700
@@ -477,6 +477,8 @@
goto error_return;
}
+ if (! HEX (hdr + 1))
+ goto error_return;
check_sum = bytes = HEX (hdr + 1);
if (bytes * 2 > bufsize)
{
_______________________________________________
bug-binutils mailing list
bug-binutils@gnu.org
https://lists.gnu.org/mailman/listinfo/bug-binutils
