espressif/binutils-gdb
1
0
Fork 0
mirror of https://github.com/espressif/binutils-gdb.git synced 2025-06-18 16:53:50 +08:00
Code Issues Packages Projects Releases Wiki Activity

PR28518: signed integer overflow & free on unmalloced address

Browse Source 
PR 28518
	* vms-alpha.c (build_module_list): Don't lose malloc buffer address.
	Use unsigned variables.
This commit is contained in:
Alan Modra
2021-10-30 18:42:00 +10:30
parent fb9f44d410
commit 3c8ed65a5d
1 changed files with 10 additions and 10 deletions
Download Patch File Download Diff File Expand all files Collapse all files

20
bfd/vms-alpha.c
View File

@ -4794,26 +4794,26 @@ build_module_list (bfd *abfd)
since we can compute the start address and the end address since we can compute the start address and the end address
of every module from the section contents. */ of every module from the section contents. */
bfd_size_type size = bfd_section_size (dmt); bfd_size_type size = bfd_section_size (dmt);
unsigned char *ptr, *end; unsigned char *buf, *ptr, *end;
if (! bfd_malloc_and_get_section (abfd, dmt, &ptr)) if (! bfd_malloc_and_get_section (abfd, dmt, &buf))
return NULL; return NULL;
vms_debug2 ((2, "DMT\n")); vms_debug2 ((2, "DMT\n"));
ptr = buf;
end = ptr + size; end = ptr + size;
while (end - ptr >= DBG_S_C_DMT_HEADER_SIZE) while (end - ptr >= DBG_S_C_DMT_HEADER_SIZE)
{ {
/* Each header declares a module with its start offset and size /* Each header declares a module with its start offset and size
of debug info in the DST section, as well as the count of of debug info in the DST section, as well as the count of
program sections (i.e. address spans) it contains. */ program sections (i.e. address spans) it contains. */
int modbeg = bfd_getl32 (ptr + DBG_S_L_DMT_MODBEG); unsigned int modbeg = bfd_getl32 (ptr + DBG_S_L_DMT_MODBEG);
int msize = bfd_getl32 (ptr + DBG_S_L_DST_SIZE); unsigned int msize = bfd_getl32 (ptr + DBG_S_L_DST_SIZE);
int count = bfd_getl16 (ptr + DBG_S_W_DMT_PSECT_COUNT); int count = bfd_getl16 (ptr + DBG_S_W_DMT_PSECT_COUNT);
ptr += DBG_S_C_DMT_HEADER_SIZE; ptr += DBG_S_C_DMT_HEADER_SIZE;
vms_debug2 ((3, "module: modbeg = %d, size = %d, count = %d\n", vms_debug2 ((3, "module: modbeg = %u, size = %u, count = %d\n",
modbeg, msize, count)); modbeg, msize, count));
/* We create a 'module' structure for each program section since /* We create a 'module' structure for each program section since
@ -4823,8 +4823,8 @@ build_module_list (bfd *abfd)
cause problems in practice. */ cause problems in practice. */
while (count-- > 0 && end - ptr >= DBG_S_C_DMT_PSECT_SIZE) while (count-- > 0 && end - ptr >= DBG_S_C_DMT_PSECT_SIZE)
{ {
int start = bfd_getl32 (ptr + DBG_S_L_DMT_PSECT_START); unsigned int start = bfd_getl32 (ptr + DBG_S_L_DMT_PSECT_START);
int length = bfd_getl32 (ptr + DBG_S_L_DMT_PSECT_LENGTH); unsigned int length = bfd_getl32 (ptr + DBG_S_L_DMT_PSECT_LENGTH);
module = new_module (abfd); module = new_module (abfd);
module->modbeg = modbeg; module->modbeg = modbeg;
module->size = msize; module->size = msize;
@ -4834,11 +4834,11 @@ build_module_list (bfd *abfd)
list = module; list = module;
ptr += DBG_S_C_DMT_PSECT_SIZE; ptr += DBG_S_C_DMT_PSECT_SIZE;
vms_debug2 ((4, "section: start = 0x%x, length = %d\n", vms_debug2 ((4, "section: start = 0x%x, length = %u\n",
start, length)); start, length));
} }
} }
free (ptr); free (buf);
} }
else else
{ {