From: H.J. Lu Date: Mon, 22 Sep 2025 07:20:34 +0000 (+0800) Subject: elf: Don't read beyond .eh_frame section size X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=ea1a0737c7692737a644af0486b71e4a392cbca8;p=thirdparty%2Fbinutils-gdb.git elf: Don't read beyond .eh_frame section size PR ld/33464 * elf-eh-frame.c (_bfd_elf_parse_eh_frame): Don't read beyond .eh_frame section size. Signed-off-by: H.J. Lu --- diff --git a/bfd/elf-eh-frame.c b/bfd/elf-eh-frame.c index dc0d2e097f5..30bb313489c 100644 --- a/bfd/elf-eh-frame.c +++ b/bfd/elf-eh-frame.c @@ -737,6 +737,7 @@ _bfd_elf_parse_eh_frame (bfd *abfd, struct bfd_link_info *info, if (hdr_id == 0) { unsigned int initial_insn_length; + char *null_byte; /* CIE */ this_inf->cie = 1; @@ -753,10 +754,13 @@ _bfd_elf_parse_eh_frame (bfd *abfd, struct bfd_link_info *info, REQUIRE (cie->version == 1 || cie->version == 3 || cie->version == 4); - REQUIRE (strlen ((char *) buf) < sizeof (cie->augmentation)); + null_byte = memchr ((char *) buf, 0, end - buf); + REQUIRE (null_byte != NULL); + REQUIRE ((size_t) (null_byte - (char *) buf) + < sizeof (cie->augmentation)); strcpy (cie->augmentation, (char *) buf); - buf = (bfd_byte *) strchr ((char *) buf, '\0') + 1; + buf = (bfd_byte *) null_byte + 1; this_inf->u.cie.aug_str_len = buf - start - 1; ENSURE_NO_RELOCS (buf); if (buf[0] == 'e' && buf[1] == 'h')