https://sourceware.org/bugzilla/show_bug.cgi?id=29100
Bug ID: 29100
Summary: Buffer overflow when read function mapping file
Product: binutils
Version: 2.38
Status: UNCONFIRMED
Severity: normal
Priority: P2
Component: gprof
Assignee: unassigned at sourceware dot org
Reporter: yguoaz at gmail dot com
Target Milestone: ---
In the file gprof/corefile.c, the function read_function_mappings has the
following code:
(link:https://sourceware.org/git/?p=binutils-gdb.git;a=blob;f=gprof/corefile.c;h=2838d49f9d22926affc5a62bd351bbdf914d51cd;hb=20756b0fbe065a84710aa38f2457563b57546440#l121)
static void
read_function_mappings (const char *filename)
{
FILE * file = fopen (filename, "r");
int count = 0;
while (!feof (file)) {
...
matches = fscanf (file, "%" STR_BUFSIZE "[^\n]\n", dummy);
if (!matches)
parse_error (filename);
count++;
}
symbol_map = ((struct function_map *)
xmalloc (count * sizeof (struct function_map)));
// code that writes to symbol_map
}
The value of the variable count is determined how many matches we get from the
input file. It could be a really large value, e.g., close to INT_MAX.
Then the computation of the allocation size "count * sizeof (struct
function_map)" may trigger an integer overflow and thus leads to a small buffer
allocated. This will lead to subsequent buffer overflows.
--
You are receiving this mail because:
You are on the CC list for the bug.
