2017-06-30 15:03:35 +00:00
|
|
|
From 419ae36f2c0dad195737982b446fcace507d0814 Mon Sep 17 00:00:00 2001
|
2017-03-21 16:04:02 +00:00
|
|
|
From: Mark Wielaard <mark@klomp.org>
|
2017-06-30 15:03:35 +00:00
|
|
|
Date: Tue, 21 Mar 2017 16:57:44 +0100
|
|
|
|
Subject: [PATCH 26/49] debugedit: Fix off-by-one adding DW_FORM_string
|
|
|
|
replacement slashes.
|
2017-03-21 16:04:02 +00:00
|
|
|
|
|
|
|
We would put one too many slashes in between the new dest_dir and file name
|
|
|
|
part of the replacement of a DW_FORM_string in the .debug_info. If there
|
|
|
|
was file part then we would overwrite the first character of the name. If
|
|
|
|
there was no file part at all then this would overwrite the zero terminator
|
|
|
|
and cause a crash reading the rest of the data.
|
|
|
|
|
|
|
|
A crash did happen while building the docker package on fedora s390x.
|
|
|
|
https://bugzilla.redhat.com/show_bug.cgi?id=1434347
|
|
|
|
|
|
|
|
The reason neither issue would normally trigger is because if we do detect
|
|
|
|
that the dest_dir is larger than the base_dir we refuse to replace anything.
|
|
|
|
|
|
|
|
Signed-off-by: Mark Wielaard <mark@klomp.org>
|
|
|
|
---
|
|
|
|
tools/debugedit.c | 12 ++++++++----
|
|
|
|
1 file changed, 8 insertions(+), 4 deletions(-)
|
|
|
|
|
|
|
|
diff --git a/tools/debugedit.c b/tools/debugedit.c
|
2017-06-30 15:03:35 +00:00
|
|
|
index 0f373162d..b618dceb5 100644
|
2017-03-21 16:04:02 +00:00
|
|
|
--- a/tools/debugedit.c
|
|
|
|
+++ b/tools/debugedit.c
|
|
|
|
@@ -1507,12 +1507,16 @@ edit_attributes (DSO *dso, unsigned char *ptr, struct abbrev_tag *t, int phase)
|
|
|
|
comp_dir, base_dir, dest_dir);
|
|
|
|
else
|
|
|
|
{
|
|
|
|
- /* Add one or more slashes in between to
|
|
|
|
- fill up all space (replacement must be
|
|
|
|
- of the same length). */
|
|
|
|
+ /* Add zero (if no file part), one or more
|
|
|
|
+ slashes in between the new dest_dir and the
|
|
|
|
+ file name to fill up all space (replacement
|
|
|
|
+ DW_FORM_string must be of the same length).
|
|
|
|
+ We don't need to copy the old file name (if
|
|
|
|
+ any) or the zero terminator, because those
|
|
|
|
+ are already at the end of the string. */
|
|
|
|
memcpy (ptr, dest_dir, dest_len);
|
|
|
|
memset (ptr + dest_len, '/',
|
|
|
|
- orig_len - new_len + 1);
|
|
|
|
+ orig_len - new_len);
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
--
|
2017-06-30 15:03:35 +00:00
|
|
|
2.13.2
|
2017-03-21 16:04:02 +00:00
|
|
|
|