https://sourceware.org/bugzilla/show_bug.cgi?id=17605
Bug ID: 17605
Summary: ar crashes on malformed archive
Product: binutils
Version: 2.26 (HEAD)
Status: NEW
Severity: normal
Priority: P2
Component: binutils
Assignee: unassigned at sourceware dot org
Reporter: cherepan at mccme dot ru
Test:
$ printf '!<arch>\n%16s%-32s%-10s`\n' '' 100000000000000000 0 > test.a
$ ar tv test.a
Segmentation fault
It crashes inside binutils-gdb/binutils/bucomm.c:
424 if (bfd_stat_arch_elt (abfd, &buf) == 0)
425 {
426 char modebuf[11];
427 char timebuf[40];
428 time_t when = buf.st_mtime;
429 const char *ctime_result = (const char *) ctime (&when);
430 bfd_size_type size;
431
432 /* POSIX format: skip weekday and seconds from ctime output.
*/
433 sprintf (timebuf, "%.12s %.4s", ctime_result + 4,
ctime_result + 20);
'when' is too big, 'ctime' returns 0, which gets derefenced inside sprintf.
Seems not to be exploitable.
Found with American Fuzzy Lop.
--
You are receiving this mail because:
You are on the CC list for the bug.
_______________________________________________
bug-binutils mailing list
bug-binutils@gnu.org
https://lists.gnu.org/mailman/listinfo/bug-binutils
