Hi ICBM,
Found a new vuln in bfd lib coff code and similar with the last one...
In the do_slurp_coff_armap() funciton: static bfd_boolean do_slurp_coff_armap (bfd *abfd){ ¡carsym_size = (nsymz * sizeof (carsym)); //uses the nsymz from file ptrsize = (4 * nsymz); //integer overflow here¡ /* Allocate and read in the raw offsets. */ raw_armap = bfd_alloc (abfd, ptrsize); // allocate wrong memory size here if (raw_armap == NULL) goto release_symdefs; ¡ }
I do not understand why this can lead to a vulnerability. Even if the computation of "ptrsize" does overflow all that will happen is that the code will read in too little of the archive's map. The code in bfd_alloc() treats the size parameter as unsigned and it copes with a very large value which is too big to be allocated. So where is the vulnerability ?
Cheers Nick _______________________________________________ bug-binutils mailing list bug-binutils@gnu.org http://lists.gnu.org/mailman/listinfo/bug-binutils
