I tried building a binary for the avr platform with WinAVR-20081205 under Wine.

I reproducibly got a crash:
...
wine: Unhandled page fault on read access to 0x656c6966 at address 0xb7d0d38b
(thread 003c), starting debugger...
...
  5 0x7ed3d0d3 MSVCRT_fprintf+0x31(file=0x7ed640a0, format=":%s")
[/wine-git/dlls/msvcrt/file.c:3152] in msvcrt (0x00edfcc8)
  6 0x0041de84 bfd_nonfatal_message+0x74(filename=0x0, bfd=0x134d90,
section=(nil), format=0x0) [/binutils-2.19/binutils/bucomm.c:98] in avr-objcopy
(0x00edfd08)
  7 0x00403463 copy_file+0x803(input_filename=<register ESI not in topmost
frame>, output_filename=<register EDI not in topmost frame>,
input_target=<register EBX not in topmost frame>, output_target="ihex")
[/binutils-2.19/binutils/objcopy.c:2093] in avr-objcopy (0x00edfda8)
  8 0x00405690 main+0x13c0(argc=15597272, argv=0x4010a7)
[/binutils-2.19/binutils/objcopy.c:3479] in avr-objcopy (0x00edfe98)
  9 0x004010a7 in avr-objcopy (+0x10a7) (0x00edfed8)
...

Before the call to bfd_nonfatal_message a call to bfd_close is done
which frees the bfd. In the bfd_nonfatal_message this memory is allocated and
overwritten so the bfd becomes invalid to read from.

Following is a patch to not access the freed memory anymore.

diff -Nur binutils-2.19.orig/binutils/objcopy.c binutils-2.19/binutils/objcopy.c
--- binutils-2.19.orig/binutils/objcopy.c       2008-08-06 02:42:17.000000000 
+0200
+++ binutils-2.19/binutils/objcopy.c    2009-01-28 22:20:20.000000000 +0100
@@ -59,9 +59,9 @@
 /* List of sections to be renamed.  */
 static section_rename *section_rename_list;

-#define RETURN_NONFATAL(bfd) \
+#define RETURN_NONFATAL(filename, bfd, section, format) \
   do { \
-    status = 1; bfd_nonfatal_message (NULL, bfd, NULL, NULL); return; \
+    status = 1; bfd_nonfatal_message (filename, bfd, section, format); return; 
\
   } while (0)

 static asymbol **isympp = NULL;        /* Input symbols.  */
@@ -1872,7 +1872,7 @@
   this_element = bfd_openr_next_archived_file (ibfd, NULL);

   if (!bfd_set_format (obfd, bfd_get_format (ibfd)))
-    RETURN_NONFATAL (obfd);
+    RETURN_NONFATAL (NULL, obfd, NULL, NULL);

   while (!status && this_element != NULL)
     {
@@ -1995,10 +1995,10 @@
   *ptr = NULL;

   if (!bfd_close (obfd))
-    RETURN_NONFATAL (obfd);
+    RETURN_NONFATAL (NULL, NULL, NULL, "error closing obfd");

   if (!bfd_close (ibfd))
-    RETURN_NONFATAL (obfd);
+    RETURN_NONFATAL (NULL, NULL, NULL, "error closing ibfd");

   /* Delete all the files that we opened.  */
   for (l = list; l != NULL; l = l->next)
@@ -2087,10 +2087,10 @@
        status = 1;

       if (!bfd_close (obfd))
-       RETURN_NONFATAL (obfd);
+        RETURN_NONFATAL (output_filename, NULL, NULL, NULL);

       if (!bfd_close (ibfd))
-       RETURN_NONFATAL (ibfd);
+        RETURN_NONFATAL (input_filename, NULL, NULL, NULL);
     }
   else
     {

-- 
           Summary: objcopy: access to already freed memory
           Product: binutils
           Version: 2.19
            Status: NEW
          Severity: normal
          Priority: P2
         Component: binutils
        AssignedTo: unassigned at sources dot redhat dot com
        ReportedBy: bernhardu at vr-web dot de
                CC: bug-binutils at gnu dot org
 GCC build triplet: i686-pc-linux-gnuaout
  GCC host triplet: i586-pc-mingw32msvc
GCC target triplet: i586-pc-mingw32msvc


http://sourceware.org/bugzilla/show_bug.cgi?id=9798

------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.


_______________________________________________
bug-binutils mailing list
bug-binutils@gnu.org
http://lists.gnu.org/mailman/listinfo/bug-binutils

Reply via email to