PR27879, stack-buffer-overflow on sysdump

Message ID 20210519015547.GC207157@bubble.grove.modra.org
State New
Headers show
Series
  • PR27879, stack-buffer-overflow on sysdump
Related show

Commit Message

Jan Beulich via Binutils May 19, 2021, 1:55 a.m.
PR 27879
	* sysdump.c (getBARRAY): Sanity check size against max.
	(getINT): Avoid UB shift left.


-- 
Alan Modra
Australia Development Lab, IBM

Patch

diff --git a/binutils/sysdump.c b/binutils/sysdump.c
index 8993152bdd6..35796e829a0 100644
--- a/binutils/sysdump.c
+++ b/binutils/sysdump.c
@@ -131,19 +131,21 @@  fillup (unsigned char *ptr)
 }
 
 static barray
-getBARRAY (unsigned char *ptr, int *idx, int dsize ATTRIBUTE_UNUSED,
-	   int max ATTRIBUTE_UNUSED)
+getBARRAY (unsigned char *ptr, int *idx, int dsize ATTRIBUTE_UNUSED, int max)
 {
   barray res;
   int i;
   int byte = *idx / 8;
-  int size = ptr[byte++];
+  int size = 0;
+
+  if (byte < max)
+    size = ptr[byte++];
 
   res.len = size;
   res.data = (unsigned char *) xmalloc (size);
 
   for (i = 0; i < size; i++)
-    res.data[i] = ptr[byte++];
+    res.data[i] = byte < max ? ptr[byte++] : 0;
 
   return res;
 }
@@ -179,7 +181,8 @@  getINT (unsigned char *ptr, int *idx, int size, int max)
       n = (ptr[byte + 0] << 8) + ptr[byte + 1];
       break;
     case 4:
-      n = (ptr[byte + 0] << 24) + (ptr[byte + 1] << 16) + (ptr[byte + 2] << 8) + (ptr[byte + 3]);
+      n = (((unsigned) ptr[byte + 0] << 24) + (ptr[byte + 1] << 16)
+	   + (ptr[byte + 2] << 8) + (ptr[byte + 3]));
       break;
     default:
       fatal (_("Unsupported read size: %d"), size);