diff options
| author | Sunil Nimmagadda <sunil@cvs.openbsd.org> | 2019-03-16 16:35:04 +0000 |
|---|---|---|
| committer | Sunil Nimmagadda <sunil@cvs.openbsd.org> | 2019-03-16 16:35:04 +0000 |
| commit | 0e38ecf7188766e1facdfc19c1a71ebf43832803 (patch) | |
| tree | a90e66892a019d7a6342762d155ee9c1182db27d /usr.bin/ctfdump | |
| parent | 837b5098b34fcb817d3aa17b4cf223fa1462c8e0 (diff) | |
Fix a buffer over-read while dumping functions.
A bogus vlen in metadata could cause offset point beyond CTF section
boundary. Found by afl-fuzz.
Ok mpi@
Diffstat (limited to 'usr.bin/ctfdump')
| -rw-r--r-- | usr.bin/ctfdump/ctfdump.c | 5 |
1 files changed, 4 insertions, 1 deletions
diff --git a/usr.bin/ctfdump/ctfdump.c b/usr.bin/ctfdump/ctfdump.c index 6c3ab924762..cda3f17e3dd 100644 --- a/usr.bin/ctfdump/ctfdump.c +++ b/usr.bin/ctfdump/ctfdump.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ctfdump.c,v 1.21 2019/03/16 15:34:58 sunil Exp $ */ +/* $OpenBSD: ctfdump.c,v 1.22 2019/03/16 16:35:03 sunil Exp $ */ /* * Copyright (c) 2016 Martin Pieuchot <mpi@openbsd.org> @@ -476,6 +476,9 @@ ctf_dump_type(struct ctf_header *cth, const char *data, off_t dlen, printf(" returns: %u args: (%u", ctt->ctt_type, *argp); for (i = 1; i < vlen; i++) { argp++; + if ((const char *)argp > data + dlen) + errx(1, "offset exceeds CTF section"); + printf(", %u", *argp); } printf(")"); |