[Bug binutils/20499] gprof: segmentation fault on invalid symbol file

https://sourceware.org/bugzilla/show_bug.cgi?id=20499 Tobias Stoeckmann changed: What|Removed |Added Status|REOPENED|RESOLVED Resolution|---

[Bug binutils/20499] gprof: segmentation fault on invalid symbol file

https://sourceware.org/bugzilla/show_bug.cgi?id=20499 --- Comment #16 from cvs-commit at gcc dot gnu.org --- The master branch has been updated by Nick Clifton : https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=c616591359a014fcfdb5acb48e70ecda0823fb46 commit c616591359a014fcfdb5acb48e

[Bug binutils/20499] gprof: segmentation fault on invalid symbol file

https://sourceware.org/bugzilla/show_bug.cgi?id=20499 --- Comment #17 from Nick Clifton --- (In reply to Tobias Stoeckmann from comment #13) > The check alone does not prevent the integer overflow in xmalloc()s argument. Good point. > I would recommend to bail out when encountering a file that

[Bug binutils/20499] gprof: segmentation fault on invalid symbol file

https://sourceware.org/bugzilla/show_bug.cgi?id=20499 --- Comment #15 from cvs-commit at gcc dot gnu.org --- The master branch has been updated by Nick Clifton : https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=00927233079d1d65826fd611019e9167706b9ec6 commit 00927233079d1d65826fd61101

[Bug binutils/20499] gprof: segmentation fault on invalid symbol file

https://sourceware.org/bugzilla/show_bug.cgi?id=20499 --- Comment #14 from Tobias Stoeckmann --- Created attachment 9479 --> https://sourceware.org/bugzilla/attachment.cgi?id=9479&action=edit My proposed patch -- You are receiving this mail because: You are on the CC list for the bug. ___

[Bug binutils/20499] gprof: segmentation fault on invalid symbol file

https://sourceware.org/bugzilla/show_bug.cgi?id=20499 --- Comment #13 from Tobias Stoeckmann --- The check alone does not prevent the integer overflow in xmalloc()s argument. I would recommend to bail out when encountering a file that is simply too large to be sane. See my proposal for details.

[Bug binutils/20499] gprof: segmentation fault on invalid symbol file

https://sourceware.org/bugzilla/show_bug.cgi?id=20499 Nick Clifton changed: What|Removed |Added Attachment #9470|0 |1 is obsolete|

[Bug binutils/20499] gprof: segmentation fault on invalid symbol file

https://sourceware.org/bugzilla/show_bug.cgi?id=20499 Nick Clifton changed: What|Removed |Added Status|RESOLVED|REOPENED Last reconfirmed|

[Bug binutils/20499] gprof: segmentation fault on invalid symbol file

https://sourceware.org/bugzilla/show_bug.cgi?id=20499 --- Comment #10 from Tobias Stoeckmann --- Challenge accepted. :D So I investigated this. It is in fact possible to crash gprof with a "num" overflow here. Let's consider the possible situations: AMD64: It is impossible to overflow a 64 bit

[Bug binutils/20499] gprof: segmentation fault on invalid symbol file

https://sourceware.org/bugzilla/show_bug.cgi?id=20499 --- Comment #7 from Tobias Stoeckmann --- Oh, nice spotting with this "[^\n:]" parsing, I skipped validating that because this kind of expression was unknown to me. Always amazing to see what else pops up when more people look at the code! :)

[Bug binutils/20499] gprof: segmentation fault on invalid symbol file

https://sourceware.org/bugzilla/show_bug.cgi?id=20499 --- Comment #9 from Nick Clifton --- Hi Tobias, > Now there's just the possible "num++" overflow on very large files left. > Could hit amd64 or i386 with large file support. It takes a huge symbol file > for that though. Right - and I think

[Bug binutils/20499] gprof: segmentation fault on invalid symbol file

https://sourceware.org/bugzilla/show_bug.cgi?id=20499 --- Comment #8 from cvs-commit at gcc dot gnu.org --- The master branch has been updated by Nick Clifton : https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=38334d6de448272c3bd831e3410dbc337fc2739d commit 38334d6de448272c3bd831e3410

[Bug binutils/20499] gprof: segmentation fault on invalid symbol file

https://sourceware.org/bugzilla/show_bug.cgi?id=20499 Nick Clifton changed: What|Removed |Added Attachment #9465|0 |1 is obsolete|

[Bug binutils/20499] gprof: segmentation fault on invalid symbol file

https://sourceware.org/bugzilla/show_bug.cgi?id=20499 --- Comment #5 from Tobias Stoeckmann --- The buffers are secured due to their size (to be honest, I didn't even check that when I did my review... *phew* :) ). The actual issue arises if the parsed line does not match "%s %c %s". This patter

[Bug binutils/20499] gprof: segmentation fault on invalid symbol file

https://sourceware.org/bugzilla/show_bug.cgi?id=20499 --- Comment #4 from Nick Clifton --- Created attachment 9468 --> https://sourceware.org/bugzilla/attachment.cgi?id=9468&action=edit Proposed patch In reply to Tobias Stoeckmann from comment #3) Hi Tobias, > The variable "name" is malloc()

[Bug binutils/20499] gprof: segmentation fault on invalid symbol file

https://sourceware.org/bugzilla/show_bug.cgi?id=20499 --- Comment #3 from Tobias Stoeckmann --- It is possible to access uninitialized memory now. Take this symbol file for example: x x x a t a The variable "name" is malloc()ed, so the content cannot be guaranteed to be nul-terminated after fi

[Bug binutils/20499] gprof: segmentation fault on invalid symbol file

https://sourceware.org/bugzilla/show_bug.cgi?id=20499 Nick Clifton changed: What|Removed |Added Status|UNCONFIRMED |RESOLVED CC|

[Bug binutils/20499] gprof: segmentation fault on invalid symbol file

https://sourceware.org/bugzilla/show_bug.cgi?id=20499 --- Comment #1 from cvs-commit at gcc dot gnu.org --- The master branch has been updated by Nick Clifton : https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=4ca0333f073cb4d86fe9d4e64c9dfdca5deba1e0 commit 4ca0333f073cb4d86fe9d4e64c9