[Bug binutils/20089] New: objcopy.c line 1130 has not size check before accessing isympp array.

Fri, 13 May 2016 03:17:09 -0700 

https://sourceware.org/bugzilla/show_bug.cgi?id=20089

            Bug ID: 20089
           Summary: objcopy.c line 1130 has not size check before
                    accessing isympp array.
           Product: binutils
           Version: 2.26
            Status: NEW
          Severity: normal
          Priority: P2
         Component: binutils
          Assignee: unassigned at sourceware dot org
          Reporter: ecular at 163 dot com
  Target Milestone: ---

Created attachment 9255
  --> https://sourceware.org/bugzilla/attachment.cgi?id=9255&action=edit
run ./strip-new -s thisfile can case a strip-new crash.

Hi there, 

I crashed strip-new (with flag -s) with the file attached.
It is because an invalid access at objcopy.c line 1130 in group_signature()
when ghdr->sh_info = 0.


if (symhdr->sh_type == SHT_SYMTAB
 && ghdr->sh_info < symhdr->sh_size / bed->s->sizeof_sym)
return isympp[ghdr->sh_info - 1];



The gdb output like this:

Program received signal SIGSEGV, Segmentation fault.
0x000000000041a98f in group_signature (group=0xb2ce20, group=0xb2ce20) at
objcopy.c:1130
1130            return isympp[ghdr->sh_info - 1];
(gdb) bt
#0  0x000000000041a98f in group_signature (group=0xb2ce20, group=0xb2ce20) at
objcopy.c:1130
#1  is_strip_section (sec=sec@entry=0xb2ce20, abfd=0xb2bc40) at objcopy.c:1240
#2  0x0000000000429757 in setup_section (ibfd=0xb2bc40, isection=0xb2ce20,
obfdarg=0xb2f000) at objcopy.c:2967
#3  0x00000000004fb4b4 in bfd_map_over_sections (abfd=abfd@entry=0xb2bc40,
operation=operation@entry=0x429700 <setup_section>, 
    user_storage=user_storage@entry=0xb2f000) at section.c:1392
#4  0x000000000041ef34 in copy_object (ibfd=ibfd@entry=0xb2bc40,
obfd=obfd@entry=0xb2f000, input_arch=input_arch@entry=0x0) at objcopy.c:1996
#5  0x000000000042907e in copy_object (input_arch=0x0, obfd=0xb2f000,
ibfd=0xb2bc40) at objcopy.c:1810
#6  copy_file (input_filename=0x7fffffffe731
"id:000001,sig:11,src:001587,op:havoc,rep:4", 
    output_filename=output_filename@entry=0xb2af00 "stAHEPxQ",
input_target=input_target@entry=0x0, output_target=<optimized out>, 
    output_target@entry=0x0, input_arch=input_arch@entry=0x0) at objcopy.c:2817
#7  0x00000000004113e6 in strip_main (argv=<optimized out>, argc=<optimized
out>) at objcopy.c:3680
#8  main (argc=3, argv=0x7fffffffe498) at objcopy.c:4766
(gdb) print ghdr->sh_info
$1 = 0

-- 
You are receiving this mail because:
You are on the CC list for the bug.
_______________________________________________
bug-binutils mailing list
[email protected]
https://lists.gnu.org/mailman/listinfo/bug-binutils

Reply via email to