From 5a3f568b70bdfb91aacdfb66657b56d8c6d242f1 Mon Sep 17 00:00:00 2001
From: Nick Clifton <nickc@redhat.com>
Date: Mon, 3 Nov 2014 17:44:00 +0000
Subject: More fixes for buffer overruns instigated by corrupt binaries.

	PR binutils/17512
	* objdump.c (slurp_symtab): Fail gracefully if the table could not
	be read.
	(dump_relocs_in_section): Likewise.

	* aoutx.h (slurp_symbol_table): Check that computed table size is
	not bigger than the file from which is it being read.
	(slurp_reloc_table): Likewise.
	* coffcode.h (coff_slurp_line_table): Remove unneeded local
	'warned'.  Do not try to print the details of a symbol with an
	invalid index.
	* coffgen.c (make_a_sectiobn_from_file): Check computed string
	index against length of string table.
	(bfd_coff_internal_syment_name): Check read in string offset
	against length of string table.
	(build_debug_section): Return a pointer to the section used.
	(_bfd_coff_read_string_table): Store the length of the string
	table in the coff_tdata structure.
	(bfd_coff_free_symbols): Set the length of the string table to
	zero when it is freed.
	(coff_get_normalized_symtab): Check offsets against string table
	or data table lengths as appropriate.
	* cofflink.c (_bfd_coff_link_input_bfd): Check offset against
	length of string table.
	* compress.c (bfd_get_full_section_contents): Check computed size
	against the size of the file.
	* libcoff-in.h (obj_coff_strings_len): Define.
	(struct coff_tdata): Add strings_len field.
	* libcoff.h: Regenerate.
	* peXXigen.c (pe_print_debugdata): Do not attempt to print the
	data if the debug section is too small.
	* xcofflink.c (xcoff_link_input_bfd):  Check offset against
	length of string table.
---
 bfd/aoutx.h | 7 +++++++
 1 file changed, 7 insertions(+)

(limited to 'bfd/aoutx.h')

diff --git a/bfd/aoutx.h b/bfd/aoutx.h
index bef59b4..cb0887a 100644
--- a/bfd/aoutx.h
+++ b/bfd/aoutx.h
@@ -1756,6 +1756,8 @@ NAME (aout, slurp_symbol_table) (bfd *abfd)
     return TRUE;		/* Nothing to do.  */
 
   cached_size *= sizeof (aout_symbol_type);
+  if (cached_size >= (bfd_size_type) bfd_get_size (abfd))
+    return FALSE;
   cached = (aout_symbol_type *) bfd_zmalloc (cached_size);
   if (cached == NULL)
     return FALSE;
@@ -2307,6 +2309,11 @@ NAME (aout, slurp_reloc_table) (bfd *abfd, sec_ptr asect, asymbol **symbols)
   if (reloc_size == 0)
     return TRUE;		/* Nothing to be done.  */
 
+  /* PR binutils/17512: Do not even try to
+     load the relocs if their size is corrupt.  */
+  if (reloc_size + asect->rel_filepos >= (bfd_size_type) bfd_get_size (abfd))
+    return FALSE;
+
   if (bfd_seek (abfd, asect->rel_filepos, SEEK_SET) != 0)
     return FALSE;
 
-- 
cgit v1.1