I tried building a binary for the avr platform with WinAVR-20081205 under Wine.
I reproducibly got a crash:
...
wine: Unhandled page fault on read access to 0x656c6966 at address 0xb7d0d38b
(thread 003c), starting debugger...
...
5 0x7ed3d0d3 MSVCRT_fprintf+0x31(file=0x7ed640a0, format=":%s")
[/wine-git/dlls/msvcrt/file.c:3152] in msvcrt (0x00edfcc8)
6 0x0041de84 bfd_nonfatal_message+0x74(filename=0x0, bfd=0x134d90,
section=(nil), format=0x0) [/binutils-2.19/binutils/bucomm.c:98] in avr-objcopy
(0x00edfd08)
7 0x00403463 copy_file+0x803(input_filename=<register ESI not in topmost
frame>, output_filename=<register EDI not in topmost frame>,
input_target=<register EBX not in topmost frame>, output_target="ihex")
[/binutils-2.19/binutils/objcopy.c:2093] in avr-objcopy (0x00edfda8)
8 0x00405690 main+0x13c0(argc=15597272, argv=0x4010a7)
[/binutils-2.19/binutils/objcopy.c:3479] in avr-objcopy (0x00edfe98)
9 0x004010a7 in avr-objcopy (+0x10a7) (0x00edfed8)
...
Before the call to bfd_nonfatal_message a call to bfd_close is done
which frees the bfd. In the bfd_nonfatal_message this memory is allocated and
overwritten so the bfd becomes invalid to read from.
Following is a patch to not access the freed memory anymore.
diff -Nur binutils-2.19.orig/binutils/objcopy.c binutils-2.19/binutils/objcopy.c
--- binutils-2.19.orig/binutils/objcopy.c 2008-08-06 02:42:17.000000000
+0200
+++ binutils-2.19/binutils/objcopy.c 2009-01-28 22:20:20.000000000 +0100
@@ -59,9 +59,9 @@
/* List of sections to be renamed. */
static section_rename *section_rename_list;
-#define RETURN_NONFATAL(bfd) \
+#define RETURN_NONFATAL(filename, bfd, section, format) \
do { \
- status = 1; bfd_nonfatal_message (NULL, bfd, NULL, NULL); return; \
+ status = 1; bfd_nonfatal_message (filename, bfd, section, format); return;
\
} while (0)
static asymbol **isympp = NULL; /* Input symbols. */
@@ -1872,7 +1872,7 @@
this_element = bfd_openr_next_archived_file (ibfd, NULL);
if (!bfd_set_format (obfd, bfd_get_format (ibfd)))
- RETURN_NONFATAL (obfd);
+ RETURN_NONFATAL (NULL, obfd, NULL, NULL);
while (!status && this_element != NULL)
{
@@ -1995,10 +1995,10 @@
*ptr = NULL;
if (!bfd_close (obfd))
- RETURN_NONFATAL (obfd);
+ RETURN_NONFATAL (NULL, NULL, NULL, "error closing obfd");
if (!bfd_close (ibfd))
- RETURN_NONFATAL (obfd);
+ RETURN_NONFATAL (NULL, NULL, NULL, "error closing ibfd");
/* Delete all the files that we opened. */
for (l = list; l != NULL; l = l->next)
@@ -2087,10 +2087,10 @@
status = 1;
if (!bfd_close (obfd))
- RETURN_NONFATAL (obfd);
+ RETURN_NONFATAL (output_filename, NULL, NULL, NULL);
if (!bfd_close (ibfd))
- RETURN_NONFATAL (ibfd);
+ RETURN_NONFATAL (input_filename, NULL, NULL, NULL);
}
else
{
--
Summary: objcopy: access to already freed memory
Product: binutils
Version: 2.19
Status: NEW
Severity: normal
Priority: P2
Component: binutils
AssignedTo: unassigned at sources dot redhat dot com
ReportedBy: bernhardu at vr-web dot de
CC: bug-binutils at gnu dot org
GCC build triplet: i686-pc-linux-gnuaout
GCC host triplet: i586-pc-mingw32msvc
GCC target triplet: i586-pc-mingw32msvc
http://sourceware.org/bugzilla/show_bug.cgi?id=9798
------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.
_______________________________________________
bug-binutils mailing list
bug-binutils@gnu.org
http://lists.gnu.org/mailman/listinfo/bug-binutils
