PR32399, buffer overflow printing core_file_failing_command

Assorted targets do not check, as the ELF targets do, that the program
name in a core file is NUL terminated.  Fix some of them.  I haven't
attempted to fix all targets because editing host specific code can
easily result in build bugs, which aren't discovered until someone
build binutils for that host.  (Of the files edited here, I can't
easily compile hpux-core.c and osf-core.c on a linux system.)

	PR 32399
	* hppabsd-core.c (hppabsd_core_core_file_p): Ensure core_command
	string is terminated.
	* hpux-core.c (hpux_core_core_file_p): Likewise.
	* irix-core.c (irix_core_core_file_p): Likewise.
	* lynx-core.c (lynx_core_file_p): Likewise.
	* osf-core.c (osf_core_core_file_p): Likewise.
	* mach-o.c (bfd_mach_o_core_file_failing_command): Likewise.

diff --git a/bfd/hppabsd-core.c b/bfd/hppabsd-core.c
index ae5d1f8f1e5a586c96e14180c951f1f4526bbb00..1c24e641b3a042295feeeceaecec39ac8b07443c 100644 (file)
--- a/bfd/hppabsd-core.c
+++ b/bfd/hppabsd-core.c
@@ -179,7 +179,8 @@ hppabsd_core_core_file_p (bfd *abfd)
     goto fail;
   core_regsec (abfd)->vma = 0;
 
-  strncpy (core_command (abfd), u.u_comm, MAXCOMLEN + 1);
+  strncpy (core_command (abfd), u.u_comm, MAXCOMLEN);
+  core_command (abfd)[MAXCOMLEN] = 0;
   core_signal (abfd) = u.u_code;
   return _bfd_no_cleanup;
 

diff --git a/bfd/hpux-core.c b/bfd/hpux-core.c
index 1e2ea926f021065bc824487f8019e5bd3bf5823f..18516e3a89760b4dd6cd5a67df9b84032e9c36a8 100644 (file)
--- a/bfd/hpux-core.c
+++ b/bfd/hpux-core.c
@@ -177,7 +177,8 @@ hpux_core_core_file_p (bfd *abfd)
            struct proc_exec proc_exec;
            if (bfd_read (&proc_exec, core_header.len, abfd) != core_header.len)
              break;
-           strncpy (core_command (abfd), proc_exec.cmd, MAXCOMLEN + 1);
+           strncpy (core_command (abfd), proc_exec.cmd, MAXCOMLEN);
+           core_command (abfd)[MAXCOMLEN] = 0;
            good_sections++;
          }
          break;

diff --git a/bfd/irix-core.c b/bfd/irix-core.c
index 80cb82d0fa3076864328b7b4b0b5a2931a4584dd..7a486841d35c7e3987dad41ed48f8684ae23e962 100644 (file)
--- a/bfd/irix-core.c
+++ b/bfd/irix-core.c
@@ -203,7 +203,8 @@ irix_core_core_file_p (bfd *abfd)
   if (!core_hdr (abfd))
     return NULL;
 
-  strncpy (core_command (abfd), coreout.c_name, CORE_NAMESIZE);
+  strncpy (core_command (abfd), coreout.c_name, CORE_NAMESIZE - 1);
+  core_command (abfd)[CORE_NAMESIZE - 1] = 0;
   core_signal (abfd) = coreout.c_sigcause;
 
   if (bfd_seek (abfd, coreout.c_vmapoffset, SEEK_SET) != 0)

diff --git a/bfd/lynx-core.c b/bfd/lynx-core.c
index 44d94ad87456bb6834b9f3488aa78aca21dcc628..7870dc62866d4d1b7b84a413ff6065d1ed0bc072 100644 (file)
--- a/bfd/lynx-core.c
+++ b/bfd/lynx-core.c
@@ -120,7 +120,8 @@ lynx_core_file_p (bfd *abfd)
   if (!core_hdr (abfd))
     return NULL;
 
-  strncpy (core_command (abfd), pss.pname, PNMLEN + 1);
+  strncpy (core_command (abfd), pss.pname, PNMLEN);
+  core_command (abfd)[PNMLEN] = 0;
 
   /* Compute the size of the thread contexts */
 

diff --git a/bfd/mach-o.c b/bfd/mach-o.c
index 974747caadd8b46ac98cd2b94521c51c11e36b68..037718fb22cffc18e095b68353306ff9ee39ab03 100644 (file)
--- a/bfd/mach-o.c
+++ b/bfd/mach-o.c
@@ -6019,9 +6019,9 @@ bfd_mach_o_core_file_failing_command (bfd *abfd)
   int ret;
 
   ret = bfd_mach_o_core_fetch_environment (abfd, &buf, &len);
-  if (ret < 0)
+  if (ret < 0 || len == 0)
     return NULL;
-
+  buf[len - 1] = 0;
   return (char *) buf;
 }
 

diff --git a/bfd/osf-core.c b/bfd/osf-core.c
index 55b127d48b3de9ac28fbc82580dfa7b2ed7a7c61..6869dfa23eadff8a745a073cd1263b0367e772f2 100644 (file)
--- a/bfd/osf-core.c
+++ b/bfd/osf-core.c
@@ -92,7 +92,8 @@ osf_core_core_file_p (bfd *abfd)
   if (!core_hdr (abfd))
     return NULL;
 
-  strncpy (core_command (abfd), core_header.name, MAXCOMLEN + 1);
+  strncpy (core_command (abfd), core_header.name, MAXCOMLEN);
+  core_command (abfd)[MAXCOMLEN] = 0;
   core_signal (abfd) = core_header.signo;
 
   for (i = 0; i < core_header.nscns; i++)