https://sourceware.org/bugzilla/show_bug.cgi?id=24644

--- Comment #2 from Alex Rebert <alex at forallsecure dot com> ---
Oops. Sorry about that. I saw
https://sourceware.org/bugzilla/show_bug.cgi?id=23361 and thought you were
interested in those.

FWIW, there are a few overflows in there, and the overflow checks don't catch
them all. I haven't been able to make it crash yet, but I have an input that
leads to calling bfd_bread on a small buffer with a very large size. Happy to
upload it if you're interested in it.

Details: When parsed_size=-1 and nsymz=2, the function allocates a 8-byte
symdefs array, while stringsize is 18446744073709551591). Since bfd_read calls
cache_bread, which takes a signed size which ends up being negative, no
overflow happens.

-- 
You are receiving this mail because:
You are on the CC list for the bug.
_______________________________________________
bug-binutils mailing list
bug-binutils@gnu.org
https://lists.gnu.org/mailman/listinfo/bug-binutils

Reply via email to