Google Git
Sign in
gnu/binutils-gdb/4befded43f524d0840bb88fff7b77415b73a3851^!/.
commit
4befded43f524d0840bb88fff7b77415b73a3851
[log]
author
Nick Clifton <nickc@redhat.com>
Wed Sep 27 16:09:06 2023 +0100
committer
Nick Clifton <nickc@redhat.com>
Wed Sep 27 16:09:06 2023 +0100
tree
791d87dee82da396ed3d676f84899db03efcba31
parent
58bceb182740111d66fb0afa4b7941a5937dc492 [diff]
nm: heap-buffer-overflow at elfcode.h:1507 in bfd_elf64_slurp_symbol_table

  PR 30885
  * elfcode.h (elf_slurp_symbol_table): Compute the symcount for non dynamic symbols in the same way as _bfd_elf_get_symtab_upper_bound.

diff --git a/bfd/ChangeLog b/bfd/ChangeLog
index 4b0544a..2eee20f 100644
--- a/bfd/ChangeLog
+++ b/bfd/ChangeLog

@@ -1,3 +1,9 @@
+2023-09-27  Nick Clifton  <nickc@redhat.com>
+
+	PR 30885
+	* elfcode.h (elf_slurp_symbol_table): Compute the symcount for non
+	dynamic symbols in the same way as _bfd_elf_get_symtab_upper_bound.
+
 2023-09-13  Jacob Navia  <jacob@jacob.remcomp.fr>
 
 	* elf.c (_bfd_elf_init_reloc_shdr): Don't segfault on alloc fail.

diff --git a/bfd/elfcode.h b/bfd/elfcode.h
index 92e727b..ab8c3ea 100644
--- a/bfd/elfcode.h
+++ b/bfd/elfcode.h

@@ -1255,11 +1255,13 @@
      symbols.  We actually use all the ELF symbols, so there will be no
      space left over at the end.  When we have all the symbols, we
      build the caller's pointer vector.  */
+  ebd = get_elf_backend_data (abfd);
 
   if (! dynamic)
     {
       hdr = &elf_tdata (abfd)->symtab_hdr;
       verhdr = NULL;
+      symcount = hdr->sh_size / ebd->s->sizeof_sym;
     }
   else
     {
@@ -1278,12 +1280,13 @@
 	  if (!_bfd_elf_slurp_version_tables (abfd, false))
 	    return -1;
 	}
+
+      symcount = elf_tdata (abfd)->dt_symtab_count;
     }
 
-  ebd = get_elf_backend_data (abfd);
-  symcount = elf_tdata (abfd)->dt_symtab_count;
   if (symcount == 0)
     symcount = hdr->sh_size / sizeof (Elf_External_Sym);
+
   if (symcount == 0)
     sym = symbase = NULL;
   else