diff options
| author | Alan Modra <amodra@gmail.com> | 2018-12-16 23:02:50 +1030 |
|---|---|---|
| committer | Alan Modra <amodra@gmail.com> | 2018-12-17 12:49:38 +1030 |
| commit | 3a551c7a1b80fca579461774860574eabfd7f18f (patch) | |
| tree | 5d0b9463f405cd293b2571a6dd3dc04cb914d695 /bfd/aoutx.h | |
| parent | 40b9228581bb9bfaa3a444a6a19a9b41ebc68c40 (diff) | |
| download | gdb-3a551c7a1b80fca579461774860574eabfd7f18f.zip gdb-3a551c7a1b80fca579461774860574eabfd7f18f.tar.gz gdb-3a551c7a1b80fca579461774860574eabfd7f18f.tar.bz2 | |
PR23994, libbfd integer overflow
PR 23994
* aoutx.h: Include limits.h.
(get_reloc_upper_bound): Detect long overflow and return a file
too big error if it occurs.
* elf.c: Include limits.h.
(_bfd_elf_get_symtab_upper_bound): Detect long overflow and return
a file too big error if it occurs.
(_bfd_elf_get_dynamic_symtab_upper_bound): Likewise.
(_bfd_elf_get_dynamic_reloc_upper_bound): Likewise.
Diffstat (limited to 'bfd/aoutx.h')
| -rw-r--r-- | bfd/aoutx.h | 40 |
1 files changed, 21 insertions, 19 deletions
diff --git a/bfd/aoutx.h b/bfd/aoutx.h index 023843b..78eaa9c 100644 --- a/bfd/aoutx.h +++ b/bfd/aoutx.h @@ -117,6 +117,7 @@ DESCRIPTION #define KEEPIT udata.i #include "sysdep.h" +#include <limits.h> #include "bfd.h" #include "safe-ctype.h" #include "bfdlink.h" @@ -2491,6 +2492,8 @@ NAME (aout, canonicalize_reloc) (bfd *abfd, long NAME (aout, get_reloc_upper_bound) (bfd *abfd, sec_ptr asect) { + bfd_size_type count; + if (bfd_get_format (abfd) != bfd_object) { bfd_set_error (bfd_error_invalid_operation); @@ -2498,26 +2501,25 @@ NAME (aout, get_reloc_upper_bound) (bfd *abfd, sec_ptr asect) } if (asect->flags & SEC_CONSTRUCTOR) - return sizeof (arelent *) * (asect->reloc_count + 1); - - if (asect == obj_datasec (abfd)) - return sizeof (arelent *) - * ((exec_hdr (abfd)->a_drsize / obj_reloc_entry_size (abfd)) - + 1); - - if (asect == obj_textsec (abfd)) - return sizeof (arelent *) - * ((exec_hdr (abfd)->a_trsize / obj_reloc_entry_size (abfd)) - + 1); - - if (asect == obj_bsssec (abfd)) - return sizeof (arelent *); - - if (asect == obj_bsssec (abfd)) - return 0; + count = asect->reloc_count; + else if (asect == obj_datasec (abfd)) + count = exec_hdr (abfd)->a_drsize / obj_reloc_entry_size (abfd); + else if (asect == obj_textsec (abfd)) + count = exec_hdr (abfd)->a_trsize / obj_reloc_entry_size (abfd); + else if (asect == obj_bsssec (abfd)) + count = 0; + else + { + bfd_set_error (bfd_error_invalid_operation); + return -1; + } - bfd_set_error (bfd_error_invalid_operation); - return -1; + if (count >= LONG_MAX / sizeof (arelent *)) + { + bfd_set_error (bfd_error_file_too_big); + return -1; + } + return (count + 1) * sizeof (arelent *); } long |