BR3392646: output/outobj.c: fix memory corruption in long object names
When we encode a name we put its length before it, the storage is one byte width so the name can't be more than UINT8_MAX (ie 255) bytes length. Moreover if one provide a name more than RECORD_MAX then we simply overwrite random memory. Thus lets do as in other obj_check calls -- shrink the size we gonna use. But unlike oter code lets yield a warning as well. Signed-off-by: Cyrill Gorcunov <gorcunov@gmail.com>
This commit is contained in:
Cyrill Gorcunov
parent
57e0b3e56a
commit
f14552e5fb
1 changed files with 6 additions and 0 deletions
|
|
@ -424,6 +424,12 @@ static ObjRecord *obj_name(ObjRecord * orp, const char *name)
|
||||||
int len = strlen(name);
|
int len = strlen(name);
|
||||||
uint8_t *ptr;
|
uint8_t *ptr;
|
||||||
|
|
||||||
|
if (len > UINT8_MAX) {
|
||||||
|
nasm_warn(WARN_OTHER, "cutting object name '%128s...' to %u bytes",
|
||||||
|
name, UINT8_MAX);
|
||||||
|
len = UINT8_MAX;
|
||||||
|
}
|
||||||
|
|
||||||
orp = obj_check(orp, len + 1);
|
orp = obj_check(orp, len + 1);
|
||||||
ptr = orp->buf + orp->used;
|
ptr = orp->buf + orp->used;
|
||||||
*ptr++ = len;
|
*ptr++ = len;
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue