From: Alan Modra Date: Wed, 15 Jan 2025 08:43:43 +0000 (+1030) Subject: PR32560 stack-buffer-overflow at objdump disassemble_bytes X-Git-Tag: binutils-2_44~129 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=baac6c221e9d69335bf41366a1c7d87d8ab2f893;p=thirdparty%2Fbinutils-gdb.git PR32560 stack-buffer-overflow at objdump disassemble_bytes There's always someone pushing the boundaries. PR 32560 * objdump.c (MAX_INSN_WIDTH): Define. (insn_width): Make it an unsigned long. (disassemble_bytes): Use MAX_INSN_WIDTH to size buffer. (main ): Restrict size of insn_width. --- diff --git a/binutils/objdump.c b/binutils/objdump.c index ecbe39e942e..80044dea580 100644 --- a/binutils/objdump.c +++ b/binutils/objdump.c @@ -117,7 +117,8 @@ static bool disassemble_all; /* -D */ static int disassemble_zeroes; /* --disassemble-zeroes */ static bool formats_info; /* -i */ int wide_output; /* -w */ -static int insn_width; /* --insn-width */ +#define MAX_INSN_WIDTH 49 +static unsigned long insn_width; /* --insn-width */ static bfd_vma start_address = (bfd_vma) -1; /* --start-address */ static bfd_vma stop_address = (bfd_vma) -1; /* --stop-address */ static int dump_debugging; /* --debugging */ @@ -3391,7 +3392,7 @@ disassemble_bytes (struct disassemble_info *inf, } else { - char buf[50]; + char buf[MAX_INSN_WIDTH + 1]; unsigned int bpc = 0; unsigned int pb = 0; @@ -6070,8 +6071,9 @@ main (int argc, char **argv) break; case OPTION_INSN_WIDTH: insn_width = strtoul (optarg, NULL, 0); - if (insn_width <= 0) - fatal (_("error: instruction width must be positive")); + if (insn_width - 1 >= MAX_INSN_WIDTH) + fatal (_("error: instruction width must be in the range 1 to " + XSTRING (MAX_INSN_WIDTH))); break; case OPTION_INLINES: unwind_inlines = true;