This is the mail archive of the
binutils@sourceware.org
mailing list for the binutils project.
PATCH: PR gas/7059: buffer overflow detected while building a to be cross-compiled application
- From: "H.J. Lu" <hjl dot tools at gmail dot com>
- To: binutils at sources dot redhat dot com
- Date: Sun, 4 Jan 2009 11:03:26 -0800
- Subject: PATCH: PR gas/7059: buffer overflow detected while building a to be cross-compiled application
The bug in coffcode.h:
#ifdef COFF_LONG_SECTION_NAMES
/* Handle long section names as in PE. This must be compatible
with the code in coff_write_symbols and _bfd_coff_final_link.
*/
{
size_t len;
len = strlen (current->name);
if (len > SCNNMLEN)
{
memset (section.s_name, 0, SCNNMLEN);
sprintf (section.s_name, "/%lu", (unsigned long)
string_size);
string_size += len + 1;
long_section_names = TRUE;
}
}
#endif
include/coff/internal.h:#define SCNNMLEN (8)
(gdb) p string_size
$2 = 1000070
We doesn't check if string_size will fit in "char s_name[SCNNMLEN]".
This patch uses snprintf and "%lx".
H.J.
----
2009-01-04 H.J. Lu <hongjiu.lu@intel.com>
PR gas/7059
* coffcode.h (coff_write_object_contents): Replace sprintf
with snprintf.
--- bfd/coffcode.h.stack 2008-12-23 11:38:58.000000000 -0800
+++ bfd/coffcode.h 2009-01-04 10:58:41.000000000 -0800
@@ -3509,7 +3509,8 @@ coff_write_object_contents (bfd * abfd)
if (len > SCNNMLEN)
{
memset (section.s_name, 0, SCNNMLEN);
- sprintf (section.s_name, "/%lu", (unsigned long) string_size);
+ snprintf (section.s_name, SCNNMLEN,
+ "/%lx", (unsigned long) string_size);
string_size += len + 1;
long_section_names = TRUE;
}