pr23056

# DP: Fix PR gprof/23056, memory corruption in gprof.

bfd/

2018-04-23  Nick Clifton  <nickc@redhat.com>

	PR 23056
	* aoutx.h (aout_get_external_symbols): Allocate an extra byte at
	the end of the string table, and zero it.

Gbp-Pq: Name pr23056.diff

diff --git a/bfd/aoutx.h b/bfd/aoutx.h
index f14683e528b27caaf0052a23ae6d5b18f7c87c13..1db9cb8c8fcfc53eac279373f393ba05a31eed28 100644 (file)
--- a/bfd/aoutx.h
+++ b/bfd/aoutx.h
@@ -1363,7 +1363,7 @@ aout_get_external_symbols (bfd *abfd)
 #ifdef USE_MMAP
       if (stringsize >= BYTES_IN_WORD)
        {
-         if (! bfd_get_file_window (abfd, obj_str_filepos (abfd), stringsize,
+         if (! bfd_get_file_window (abfd, obj_str_filepos (abfd), stringsize + 1,
                                     &obj_aout_string_window (abfd), TRUE))
            return FALSE;
          strings = (char *) obj_aout_string_window (abfd).data;
@@ -1371,7 +1371,7 @@ aout_get_external_symbols (bfd *abfd)
       else
 #endif
        {
-         strings = (char *) bfd_malloc (stringsize);
+         strings = (char *) bfd_malloc (stringsize + 1);
          if (strings == NULL)
            return FALSE;
 
@@ -1390,7 +1390,8 @@ aout_get_external_symbols (bfd *abfd)
       /* Ensure that a zero index yields an empty string.  */
       strings[0] = '\0';
 
-      strings[stringsize - 1] = 0;
+      /* Ensure that the string buffer is NUL terminated.  */
+      strings[stringsize] = 0;
 
       obj_aout_external_strings (abfd) = strings;
       obj_aout_external_string_size (abfd) = stringsize;