I noticed the fre esz check in flip_sframe_fdes_with_fres_* was wrong,
testing against the full buffer size rather than the remaining size.
It is also ineffective at stopping buffer overflows to check after the
buffer accesses have occurred.
Likely many more buffer overflow checks in the sframe code are needed
before anyone can claim it is secure. Even in the fre code, I see
things like sframe_decoder_get_fres_buf merrily iterating over fres
without a concern for buffer overflow.
* sframe.c (flip_fre): Add fp_size param. Use it to avoid
buffer overflow on fuzzed input.
(flip_sframe_fdes_with_fres_v2): Pass remaining buffer size to
flip_fre. Remove now redundant and wrong esz check.
(flip_sframe_fdes_with_fres_v3): Likewise.
projects / thirdparty / binutils-gdb.git / commit
