From f54498b45795194df671207c6ef3d6cd6d0c0ebb Mon Sep 17 00:00:00 2001
From: Nick Clifton <nickc@redhat.com>
Date: Fri, 31 Oct 2014 16:36:31 +0000
Subject: Avoid allocating over-large buffers when parsing corrupt binaries.

	PR binutils/17512
	* coffgen.c (_bfd_coff_get_external_symbols): Do not try to load a
	symbol table bigger than the file.
	* elf.c (bfd_elf_get_str_section): Do not try to load a string
	table bigger than the file.

	* readelf.c (process_program_headers): Avoid memory exhaustion due
	to corrupt values in a dynamis segment header.
	(get_32bit_elf_symbols): Do not attempt to read an over-large
	section.
	(get_64bit_elf_symbols): Likewise.
---
 bfd/ChangeLog | 8 ++++++++
 bfd/coffgen.c | 5 +++++
 bfd/elf.c     | 5 +++++
 3 files changed, 18 insertions(+)

(limited to 'bfd')

diff --git a/bfd/ChangeLog b/bfd/ChangeLog
index c15e8cb..accbcc9 100644
--- a/bfd/ChangeLog
+++ b/bfd/ChangeLog
@@ -1,3 +1,11 @@
+2014-10-31  Nick Clifton  <nickc@redhat.com>
+
+	PR binutils/17512
+	* coffgen.c (_bfd_coff_get_external_symbols): Do not try to load a
+	symbol table bigger than the file.
+	* elf.c (bfd_elf_get_str_section): Do not try to load a string
+	table bigger than the file.
+
 2014-10-30  Nick Clifton  <nickc@redhat.com>
 
 	PR binutils/17512
diff --git a/bfd/coffgen.c b/bfd/coffgen.c
index a1a0325..f18ddab 100644
--- a/bfd/coffgen.c
+++ b/bfd/coffgen.c
@@ -1616,6 +1616,11 @@ _bfd_coff_get_external_symbols (bfd *abfd)
   if (size == 0)
     return TRUE;
 
+  /* PR binutils/17512: Do not even try to load
+     a symbol table bigger than the entire file...  */
+  if (size >= (bfd_size_type) bfd_get_size (abfd))
+    return FALSE;
+
   syms = bfd_malloc (size);
   if (syms == NULL)
     return FALSE;
diff --git a/bfd/elf.c b/bfd/elf.c
index 9c4dcdf..7cc0ce1 100644
--- a/bfd/elf.c
+++ b/bfd/elf.c
@@ -294,6 +294,11 @@ bfd_elf_get_str_section (bfd *abfd, unsigned int shindex)
       offset = i_shdrp[shindex]->sh_offset;
       shstrtabsize = i_shdrp[shindex]->sh_size;
 
+      /* PR binutils/17512: Do not even try to load
+	 a string table bigger than the entire file...  */
+      if (shstrtabsize >= (bfd_size_type) bfd_get_size (abfd))
+	return NULL;
+
       /* Allocate and clear an extra byte at the end, to prevent crashes
 	 in case the string table is not terminated.  */
       if (shstrtabsize + 1 <= 1
-- 
cgit v1.1