From f586f9b61d1e5d91f010e68922b8c8b86f787a27 Mon Sep 17 00:00:00 2001
From: Alan Modra <amodra@gmail.com>
Date: Sun, 17 Aug 2025 15:13:06 +0930
Subject: buffer overflow in process_sht_group_entries

An oss-fuzz testcase with a SHT_GROUP section named .debug managed to
break objcopy --compress-debug-sections.  The underlying problem is
that SEC_DEBUGGING is set by section name tests, thus the SHT_GROUP
section gets compressed.  The compressed section data is smaller than
the original section sh_size, and process_sht_group_entries tries to
look at sh_size worth of entries.  The patch fixes this mess by simply
not setting SEC_DEBUGGING on SHT_GROUP sections.

Note that it isn't correct to restrict SEC_DEBUGGING to SHT_PROGBITS
sections, as that will break processor/os special sections for debug.
eg. SHT_MIPS_DEBUG.

	* elf.c (_bfd_elf_make_section_from_shdr): Don't set
	SEC_DEBUGGING on SEC_GROUP sections no matter their name.
---
 bfd/elf.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/bfd/elf.c b/bfd/elf.c
index 4051f2f..84a220f 100644
--- a/bfd/elf.c
+++ b/bfd/elf.c
@@ -957,7 +957,7 @@ _bfd_elf_make_section_from_shdr (bfd *abfd,
       break;
     }
 
-  if ((flags & SEC_ALLOC) == 0)
+  if ((flags & (SEC_ALLOC | SEC_GROUP)) == 0)
     {
       /* The debugging sections appear to be recognized only by name,
 	 not any sort of flag.  Their SEC_ALLOC bits are cleared.  */
-- 
cgit v1.1