Stack-based buffer overflow in ihex_bad_byte function in ihex.c
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
binutils |
Unknown
|
Unknown
|
|||
binutils (Ubuntu) |
Fix Released
|
Medium
|
Unassigned |
Bug Description
-=Binary=-
size
-=Package=-
binutils 2.25-10ubuntu1
-=Title=-
size assert failure : ***buffer overflow detected***: size terminated
-=Input file=-
root@exploitdev
00000000: 3a30 3030 3030 3030 3030 303a b030 3030 :0000000000:.000
00000010: 3030 3030 ____ ____ ____ ____ ____ ____ 0000
-=happens here=-
ihex.c:222 --> sprintf (buf, "\\%03o", (unsigned int) c);
-=stacktrace=-
(gdb) backtrace
#0 0xb7fdbbe0 in __kernel_vsyscall ()
#1 0xb7e2c057 in __GI_raise (sig=6) at ../sysdeps/
#2 0xb7e2d699 in __GI_abort () at abort.c:89
#3 0xb7e6a19e in __libc_message (do_abort=2, fmt=0xb7f62380 "*** %s ***: %s terminated\n")
at ../sysdeps/
#4 0xb7efacb8 in __GI___fortify_fail (msg=<optimised out>,
msg@
#5 0xb7ef8e3a in __GI___chk_fail () at chk_fail.c:28
#6 0xb7ef8618 in _IO_str_
#7 0xb7e6db5c in __GI__IO_
at genops.c:480
#8 0xb7e43c3b in _IO_vfprintf_
ap=0xbffff1b4 "O\362\377\277\b") at vfprintf.c:1641
#9 0xb7ef86ad in ___vsprintf_chk (s=0xbffff1c2 "\\37777777", flags=1, slen=10,
format=
at vsprintf_chk.c:84
#10 0xb7ef8600 in ___sprintf_chk (s=0xbffff1c2 "\\37777777", flags=1, slen=10,
format=
#11 0x08061607 in sprintf (__fmt=0x80cb83d "\\%03o", __s=0xbffff1c2 "\\37777777")
at /usr/include/
#12 ihex_bad_byte (abfd=0x811a9f0, lineno=1, c=<optimised out>, error=0) at ihex.c:222
#13 0x08061d69 in ihex_scan (abfd=<optimised out>) at ihex.c:298
#14 ihex_object_p (abfd=0x811a9f0) at ihex.c:526
#15 0x08055742 in bfd_check_
matching=
#16 0x0804a8f0 in display_bfd (abfd=abfd@
#17 0x0804aaaf in display_file (filename=
#18 0x08049fd4 in main (argc=2, argv=0xbffff444) at size.c:239
tags: | added: binutils dos size |
description: | updated |
description: | updated |
summary: |
- ihex_bad_byte in ihex.c : stack-based buffer overflow + Stack-based buffer overflow in ihex_bad_byte function in ihex.c |
size size-SBBOF to replicate