[Bug binutils/20499] gprof: segmentation fault on invalid symbol file

https://sourceware.org/bugzilla/show_bug.cgi?id=20499 Tobias Stoeckmann changed: What|Removed |Added Status|REOPENED|RESOLVED Resolution|---

[Bug binutils/20499] gprof: segmentation fault on invalid symbol file

https://sourceware.org/bugzilla/show_bug.cgi?id=20499 --- Comment #14 from Tobias Stoeckmann --- Created attachment 9479 --> https://sourceware.org/bugzilla/attachment.cgi?id=9479&action=edit My proposed patch -- You are receiving this mail because: You are on the CC list for the bug. ___

[Bug binutils/20499] gprof: segmentation fault on invalid symbol file

https://sourceware.org/bugzilla/show_bug.cgi?id=20499 --- Comment #13 from Tobias Stoeckmann --- The check alone does not prevent the integer overflow in xmalloc()s argument. I would recommend to bail out when encountering a file that is simply too large to be sane. See my proposal for details.

[Bug binutils/20499] gprof: segmentation fault on invalid symbol file

https://sourceware.org/bugzilla/show_bug.cgi?id=20499 --- Comment #10 from Tobias Stoeckmann --- Challenge accepted. :D So I investigated this. It is in fact possible to crash gprof with a "num" overflow here. Let's consider the possible situations: AMD64: It is impossible to overflow a 64 bit

[Bug binutils/20499] gprof: segmentation fault on invalid symbol file

https://sourceware.org/bugzilla/show_bug.cgi?id=20499 --- Comment #7 from Tobias Stoeckmann --- Oh, nice spotting with this "[^\n:]" parsing, I skipped validating that because this kind of expression was unknown to me. Always amazing to see what else pops up when more people look at the code! :)

[Bug binutils/20499] gprof: segmentation fault on invalid symbol file

https://sourceware.org/bugzilla/show_bug.cgi?id=20499 --- Comment #5 from Tobias Stoeckmann --- The buffers are secured due to their size (to be honest, I didn't even check that when I did my review... *phew* :) ). The actual issue arises if the parsed line does not match "%s %c %s". This patter

[Bug binutils/20499] gprof: segmentation fault on invalid symbol file

https://sourceware.org/bugzilla/show_bug.cgi?id=20499 --- Comment #3 from Tobias Stoeckmann --- It is possible to access uninitialized memory now. Take this symbol file for example: x x x a t a The variable "name" is malloc()ed, so the content cannot be guaranteed to be nul-terminated after fi

[Bug binutils/20499] New: gprof: segmentation fault on invalid symbol file

Component: binutils Assignee: unassigned at sourceware dot org Reporter: tobias at stoeckmann dot org Target Milestone: --- Created attachment 9465 --> https://sourceware.org/bugzilla/attachment.cgi?id=9465&action=edit Fix segmentation fault in gprof $ ca