Fix memory access violations triggered by running sysdump on fuzzed binaries.

PR binutils/17512 * sysdump.c (getINT): Fail if reading off the end of the buffer. Replace call to abort with a call to fatal. (getCHARS): Prevetn reading off the end of the buffer.
2025-10-15 11:56:11 +08:00 · 2015-01-08 13:52:42 +00:00
parent 2279a12a44
commit 848cde35d6
2 changed files with 16 additions and 2 deletions
--- a/binutils/sysdump.c
+++ b/binutils/sysdump.c
@ -66,6 +66,9 @@ getCHARS (unsigned char *ptr, int *idx, int size, int max)

  if (b == 0)
    {
+      /* PR 17512: file: 13caced2.  */
+      if (oc >= max)
+	return _("*corrupt*");
      /* Got to work out the length of the string from self.  */
      b = ptr[oc++];
      (*idx) += 8;
@ -166,7 +169,12 @@ getINT (unsigned char *ptr, int *idx, int size, int max)
  int byte = *idx / 8;

  if (byte >= max)
-    return 0;
+    {
+      /* PR 17512: file: id:000001,src:000002,op:flip1,pos:45.  */
+      /* Prevent infinite loops re-reading beyond the end of the buffer.  */
+      fatal (_("ICE: getINT: Out of buffer space"));
+      return 0;
+    }

  if (size == -2)
    size = addrsize;
@ -188,7 +196,7 @@ getINT (unsigned char *ptr, int *idx, int size, int max)
      n = (ptr[byte + 0] << 24) + (ptr[byte + 1] << 16) + (ptr[byte + 2] << 8) + (ptr[byte + 3]);
      break;
    default:
-      abort ();
+      fatal (_("Unsupported read size: %d"), size);
    }

  *idx += size * 8;
@ -615,6 +623,8 @@ module (void)
  do
    {
      c = getc (file);
+      if (c == EOF)
+	break;
      ungetc (c, file);

      c &= 0x7f;