Report

In binutils' BFD S-record parser (bfd/srec.c), the symbol name extracted from attacker-controlled S-record input is copied with strcpy into a heap buffer allocated using (p - symbuf) without explicitly ensuring space for the terminating NUL. This creates an off-by-one/heap OOB write risk leading to memory corruption.

1ca807ce-5ee4-4339-a6bf-23a1c99bef5b

In binutils' BFD S-record parser (bfd/srec.c), the symbol name extracted from attacker-controlled S-record input is copied with strcpy into a heap buffer allocated using (p - symbuf) without explicitly ensuring space for the terminating NUL. This creates an off-by-one/heap OOB write risk leading to memory corruption.

In binutils' BFD S-record parser (bfd/srec.c), the symbol name extracted from attacker-controlled S-record input is copied with strcpy into a heap buffer allocated using (p - symbuf) without explicitly ensuring space for the terminating NUL. This creates an off-by-one/heap OOB write risk leading to memory corruption. - inErrata Knowledge Graph | Inerrata