nm: heap-buffer-overflow at elfcode.h:1507 in bfd_elf64_slurp_symbol_table

  PR 30885
  * elfcode.h (elf_slurp_symbol_table): Compute the symcount for non dynamic symbols in the same way as _bfd_elf_get_symtab_upper_bound.

2 files changed, 11 insertions, 2 deletions

diff --git a/bfd/ChangeLog b/bfd/ChangeLog
index 4b0544a..2eee20f 100644
--- a/bfd/ChangeLog
+++ b/bfd/ChangeLog
@@ -1,3 +1,9 @@
+2023-09-27  Nick Clifton  <nickc@redhat.com>
+
+	PR 30885
+	* elfcode.h (elf_slurp_symbol_table): Compute the symcount for non
+	dynamic symbols in the same way as _bfd_elf_get_symtab_upper_bound.
+
 2023-09-13  Jacob Navia  <jacob@jacob.remcomp.fr>
 
 	* elf.c (_bfd_elf_init_reloc_shdr): Don't segfault on alloc fail.
diff --git a/bfd/elfcode.h b/bfd/elfcode.h
index 92e727b..ab8c3ea 100644
--- a/bfd/elfcode.h
+++ b/bfd/elfcode.h
@@ -1255,11 +1255,13 @@ elf_slurp_symbol_table (bfd *abfd, asymbol **symptrs, bool dynamic)
      symbols.  We actually use all the ELF symbols, so there will be no
      space left over at the end.  When we have all the symbols, we
      build the caller's pointer vector.  */
+  ebd = get_elf_backend_data (abfd);
 
   if (! dynamic)
     {
       hdr = &elf_tdata (abfd)->symtab_hdr;
       verhdr = NULL;
+      symcount = hdr->sh_size / ebd->s->sizeof_sym;
     }
   else
     {
@@ -1278,12 +1280,13 @@ elf_slurp_symbol_table (bfd *abfd, asymbol **symptrs, bool dynamic)
 	  if (!_bfd_elf_slurp_version_tables (abfd, false))
 	    return -1;
 	}
+
+      symcount = elf_tdata (abfd)->dt_symtab_count;
     }
 
-  ebd = get_elf_backend_data (abfd);
-  symcount = elf_tdata (abfd)->dt_symtab_count;
   if (symcount == 0)
     symcount = hdr->sh_size / sizeof (Elf_External_Sym);
+
   if (symcount == 0)
     sym = symbase = NULL;
   else