diff options
author | Sunil Nimmagadda <sunil@cvs.openbsd.org> | 2019-03-16 15:34:59 +0000 |
---|---|---|
committer | Sunil Nimmagadda <sunil@cvs.openbsd.org> | 2019-03-16 15:34:59 +0000 |
commit | 8a8433ed68b21ff6a287f23710e2a4b68c4968b6 (patch) | |
tree | a724e343e51b4fb6de38058df438ae83f006fbfb /usr.bin/ctfdump | |
parent | 6d95f54cf4f0cd48d131552535d87f1b4d24c18f (diff) |
Fix a buffer over-read while dumping structs/unions.
A bogus vlen in metadata could cause offset point beyond CTF section
boundary. Found by afl-fuzz.
Ok mpi@
Diffstat (limited to 'usr.bin/ctfdump')
-rw-r--r-- | usr.bin/ctfdump/ctfdump.c | 8 |
1 files changed, 7 insertions, 1 deletions
diff --git a/usr.bin/ctfdump/ctfdump.c b/usr.bin/ctfdump/ctfdump.c index 687bbd01b58..6c3ab924762 100644 --- a/usr.bin/ctfdump/ctfdump.c +++ b/usr.bin/ctfdump/ctfdump.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ctfdump.c,v 1.20 2019/03/16 07:36:56 sunil Exp $ */ +/* $OpenBSD: ctfdump.c,v 1.21 2019/03/16 15:34:58 sunil Exp $ */ /* * Copyright (c) 2016 Martin Pieuchot <mpi@openbsd.org> @@ -489,6 +489,9 @@ ctf_dump_type(struct ctf_header *cth, const char *data, off_t dlen, for (i = 0; i < vlen; i++) { struct ctf_member *ctm; + if (p + toff > data + dlen) + errx(1, "offset exceeds CTF section"); + if (toff > (stroff - sizeof(*ctm))) break; @@ -504,6 +507,9 @@ ctf_dump_type(struct ctf_header *cth, const char *data, off_t dlen, for (i = 0; i < vlen; i++) { struct ctf_lmember *ctlm; + if (p + toff > data + dlen) + errx(1, "offset exceeds CTF section"); + if (toff > (stroff - sizeof(*ctlm))) break; |