diff options
author | dim <dim@FreeBSD.org> | 2012-08-31 23:28:41 +0000 |
---|---|---|
committer | dim <dim@FreeBSD.org> | 2012-08-31 23:28:41 +0000 |
commit | 8c9e04b26729438492a4b9a4af9d08aec9b3a704 (patch) | |
tree | 902db0c4e59ddda52c55b90f6a107ee4318088c8 /contrib/binutils | |
parent | 25568f4c4f0ab4414b84fd0631bc5e57c585c15f (diff) | |
download | FreeBSD-src-8c9e04b26729438492a4b9a4af9d08aec9b3a704.zip FreeBSD-src-8c9e04b26729438492a4b9a4af9d08aec9b3a704.tar.gz |
Fix a twelve year old bug in readelf: when process_dynamic_segment()
encounters a DT_RUNPATH entry, the global dynamic_info[] array is
overrun, causing some other global variable to be overwritten.
In my testcase, this was the section_headers variable, leading to
segfaults or jemalloc assertions when it was freed later on.
Thanks to Koop Mast for providing samples of a few "bad" .so files.
MFC after: 1 week
Diffstat (limited to 'contrib/binutils')
-rw-r--r-- | contrib/binutils/binutils/readelf.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/contrib/binutils/binutils/readelf.c b/contrib/binutils/binutils/readelf.c index a8c5ccc..98249ff 100644 --- a/contrib/binutils/binutils/readelf.c +++ b/contrib/binutils/binutils/readelf.c @@ -174,7 +174,7 @@ static Elf_Internal_Syminfo *dynamic_syminfo; static unsigned long dynamic_syminfo_offset; static unsigned int dynamic_syminfo_nent; static char program_interpreter[PATH_MAX]; -static bfd_vma dynamic_info[DT_JMPREL + 1]; +static bfd_vma dynamic_info[DT_ENCODING]; static bfd_vma dynamic_info_DT_GNU_HASH; static bfd_vma version_info[16]; static Elf_Internal_Ehdr elf_header; |