GNU bug report logs -
#20264
[PATCH] fix: w32_executable_type() causes a segmentation fault
Previous Next
Full log
View this message in rfc822 format
[Message part 1 (text/plain, inline)]
Your message dated Mon, 06 Apr 2015 13:30:11 +0300
with message-id <838ue5lfbg.fsf <at> gnu.org>
and subject line Re: bug#20264: [PATCH] fix: w32_executable_type() causes a segmentation fault
has caused the debbugs.gnu.org bug report #20264,
regarding [PATCH] fix: w32_executable_type() causes a segmentation fault
to be marked as done.
(If you believe you have received this mail in error, please contact
help-debbugs <at> gnu.org.)
--
20264: http://debbugs.gnu.org/cgi/bugreport.cgi?bug=20264
GNU Bug Tracking System
Contact help-debbugs <at> gnu.org with problems
[Message part 2 (message/rfc822, inline)]
Hi folks,
On Windows platform, w32_executable_type() in src/w32proc.c scans
'dllname' in an EXE file. But there are some strange EXE files that
'dllname' points to an illegal address, for example, Microsoft's Excel
(excel.exe) and PowerPoint (POWEPNT.EXE). w32_executable_type() causes
a segmentation fault for those files.
objdump in binutils seems to know those illegal pointers and discard
them (pe_print_idata() in bfd/peXXigen.c).
In the following patch, 'dllname' is checked whether it points to the
valid section's address space and discarded when it's invalid.
Regards,
Koichi Arakawa
diff --git a/src/ChangeLog b/src/ChangeLog
index 1c3f933..a49fdf4 100644
--- a/src/ChangeLog
+++ b/src/ChangeLog
@@ -1,3 +1,8 @@
+2015-04-06 Koichi Arakawa <arakawa <at> pp.iij4u.or.jp>
+
+ * w32proc.c (w32_executable_type): Check whether 'dllname' points
+ to the section's address space.
+
2015-04-04 Jan Djärv <jan.h.d <at> swipnet.se>
* xselect.c (x_reply_selection_request)
diff --git a/src/w32proc.c b/src/w32proc.c
index 7d982f8..d3d9405 100644
--- a/src/w32proc.c
+++ b/src/w32proc.c
@@ -1618,16 +1618,23 @@ w32_executable_type (char * filename,
data_dir[IMAGE_DIRECTORY_ENTRY_IMPORT];
IMAGE_IMPORT_DESCRIPTOR * imports;
IMAGE_SECTION_HEADER * section;
+ char * base;
+ DWORD_PTR real_size;
section = rva_to_section (import_dir.VirtualAddress, nt_header);
imports = RVA_TO_PTR (import_dir.VirtualAddress, section,
executable);
+ base = RVA_TO_PTR (section->VirtualAddress, section, executable);
+ real_size = max (section->SizeOfRawData, section->Misc.VirtualSize);
for ( ; imports->Name; imports++)
{
char * dllname = RVA_TO_PTR (imports->Name, section,
executable);
+ if (imports->Name < base || dllname >= base + real_size)
+ break;
+
/* The exact name of the cygwin dll has changed with
various releases, but hopefully this will be reasonably
future proof. */
[Message part 3 (message/rfc822, inline)]
> Date: Mon, 06 Apr 2015 18:48:11 +0900
> (東京 (標準時))
> Cc: 20264 <at> debbugs.gnu.org
> From: Koichi Arakawa <arakawa <at> pp.iij4u.or.jp>
>
> I apologize insufficient research. The *illegal* dllname actually
> points to another section. So the previous patch is wrong and it
> should be as follows.
Thanks, I pushed it.
This bug report was last modified 10 years and 107 days ago.
Previous Next
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson.