https://sourceware.org/bugzilla/show_bug.cgi?id=29099
Bug ID: 29099 Summary: Buffer overflow can happen at libiberty/argv.c Product: binutils Version: 2.38 Status: UNCONFIRMED Severity: normal Priority: P2 Component: binutils Assignee: unassigned at sourceware dot org Reporter: yguoaz at gmail dot com Target Milestone: --- In the file libiberty/argv.c, the function expandargv has the following code: (link: https://sourceware.org/git/?p=binutils-gdb.git;a=blob;f=libiberty/argv.c;h=10d5c3060b5bf8d70bc65e0c9084b69c890be88f;hb=HEAD#l438) void expandargv (int *argcp, char ***argvp) { ...... while (++i < *argcp) { ...... f = fopen (++filename, "r"); if (!f) continue; if (fseek (f, 0L, SEEK_END) == -1) goto error; pos = ftell (f); if (pos == -1) goto error; if (fseek (f, 0L, SEEK_SET) == -1) goto error; buffer = (char *) xmalloc (pos * sizeof (char) + 1); len = fread (buffer, sizeof (char), pos, f); } } Since pos = ftell (f), the variable pos is controlled by the size of the input file. It is possible that pos = LONG_MAX and then the calculation of the buffer size will have an signed integer overflow: pos * sizeof (char) + 1 This is undefined behavior and can lead to a smaller buffer allocated, which can lead to subsequent buffer overflow. -- You are receiving this mail because: You are on the CC list for the bug.