https://sourceware.org/bugzilla/show_bug.cgi?id=22895
Bug ID: 22895
Summary: integer overflow in read_attribute_value
Product: binutils
Version: 2.31 (HEAD)
Status: UNCONFIRMED
Severity: normal
Priority: P2
Component: binutils
Assignee: unassigned at sourceware dot org
Reporter: luanjunchao at 163 dot com
Target Milestone: ---
The command I test is "nm-new -A -a -l -S -s --special-syms --synthetic
--with-symbol-versions -D $POC".
In function read_attribute_value in dwarf2.c:1175:
case DW_FORM_block:
amt = sizeof (struct dwarf_block);
blk = (struct dwarf_block *) bfd_alloc (abfd, amt);
if (blk == NULL)
return NULL;
blk->size = _bfd_safe_read_leb128 (abfd, info_ptr, &bytes_read,
FALSE, info_ptr_end);
info_ptr += bytes_read;
blk->data = read_n_bytes (abfd, info_ptr, info_ptr_end, blk->size);
info_ptr += blk->size;
attr->u.blk = blk;
break;
I find a case where blk->size is large enough to lead to integer overflow of
info_ptr.
The POC file is
https://github.com/skysider/FuzzVuln/blob/master/binutils_nm_integer_overflow_read_attribute_value.elf
--
You are receiving this mail because:
You are on the CC list for the bug.
_______________________________________________
bug-binutils mailing list
bug-binutils@gnu.org
https://lists.gnu.org/mailman/listinfo/bug-binutils
