diff options
| author | Nick Clifton <nickc@redhat.com> | 2017-11-03 11:55:21 +0000 |
|---|---|---|
| committer | Nick Clifton <nickc@redhat.com> | 2017-11-03 11:55:21 +0000 |
| commit | 6cee897971d4d7cd37d2a686bb6d2aa3e759c8ca (patch) | |
| tree | 2e9c1fb1aab283ad800e3c9f98880e0f726c4f86 /bfd | |
| parent | 8e68731c8a4aecb3481803e91b9bcd2df182c135 (diff) | |
| download | binutils-6cee897971d4d7cd37d2a686bb6d2aa3e759c8ca.zip binutils-6cee897971d4d7cd37d2a686bb6d2aa3e759c8ca.tar.gz binutils-6cee897971d4d7cd37d2a686bb6d2aa3e759c8ca.tar.bz2 | |
Fix excessive memory allocation attempts and possible integer overfloaws when attempting to read a COFF binary with a corrupt symbol count.
PR 22385
* coffgen.c (_bfd_coff_get_external_symbols): Check for an
overlarge raw syment count.
(coff_get_normalized_symtab): Likewise.
Diffstat (limited to 'bfd')
| -rw-r--r-- | bfd/ChangeLog | 8 | ||||
| -rw-r--r-- | bfd/coffgen.c | 17 |
2 files changed, 23 insertions, 2 deletions
diff --git a/bfd/ChangeLog b/bfd/ChangeLog index b8cddd5..e857d2e 100644 --- a/bfd/ChangeLog +++ b/bfd/ChangeLog @@ -1,3 +1,11 @@ +2017-11-03 Mingi Cho <mgcho.minic@gmail.com> + Nick Clifton <nickc@redhat.com> + + PR 22385 + * coffgen.c (_bfd_coff_get_external_symbols): Check for an + overlarge raw syment count. + (coff_get_normalized_symtab): Likewise. + 2017-11-01 James Bowman <james.bowman@ftdichip.com> * archures.c: Add bfd_mach_ft32b. diff --git a/bfd/coffgen.c b/bfd/coffgen.c index 98363d0..81efd9b 100644 --- a/bfd/coffgen.c +++ b/bfd/coffgen.c @@ -1640,13 +1640,23 @@ _bfd_coff_get_external_symbols (bfd *abfd) size = obj_raw_syment_count (abfd) * symesz; if (size == 0) return TRUE; + /* Check for integer overflow and for unreasonable symbol counts. */ + if (size < obj_raw_syment_count (abfd) + || (bfd_get_file_size (abfd) > 0 + && size > bfd_get_file_size (abfd))) + + { + _bfd_error_handler (_("%B: corrupt symbol count: %#Lx"), + abfd, obj_raw_syment_count (abfd)); + return FALSE; + } syms = bfd_malloc (size); if (syms == NULL) { /* PR 21013: Provide an error message when the alloc fails. */ - _bfd_error_handler (_("%B: Not enough memory to allocate space for %Lu symbols"), - abfd, size); + _bfd_error_handler (_("%B: not enough memory to allocate space for %#Lx symbols of size %#Lx"), + abfd, obj_raw_syment_count (abfd), symesz); return FALSE; } @@ -1794,6 +1804,9 @@ coff_get_normalized_symtab (bfd *abfd) return NULL; size = obj_raw_syment_count (abfd) * sizeof (combined_entry_type); + /* Check for integer overflow. */ + if (size < obj_raw_syment_count (abfd)) + return NULL; internal = (combined_entry_type *) bfd_zalloc (abfd, size); if (internal == NULL && size != 0) return NULL; |