diff options
author | Alan Modra <amodra@gmail.com> | 2019-02-20 18:22:50 +1030 |
---|---|---|
committer | Alan Modra <amodra@gmail.com> | 2019-02-20 18:22:50 +1030 |
commit | c22b42ce308eb538050b4b5789e406b63102b35a (patch) | |
tree | 097dc6ca803567ca3176c58cd647dee1b4e7fe97 | |
parent | edd01d077c5f7a0f76ec4fb77b5b9f5b151fa50a (diff) | |
download | gdb-c22b42ce308eb538050b4b5789e406b63102b35a.zip gdb-c22b42ce308eb538050b4b5789e406b63102b35a.tar.gz gdb-c22b42ce308eb538050b4b5789e406b63102b35a.tar.bz2 |
Unsigned integer overflows in readelf checks
PR 24132
PR 24138
* readelf.c (get_data): Avoid possibility of overflow when
checking for a read that may extend past end of file.
(process_program_headers): Likewise.
-rw-r--r-- | binutils/ChangeLog | 8 | ||||
-rw-r--r-- | binutils/readelf.c | 10 |
2 files changed, 14 insertions, 4 deletions
diff --git a/binutils/ChangeLog b/binutils/ChangeLog index ce933ba..ff67363 100644 --- a/binutils/ChangeLog +++ b/binutils/ChangeLog @@ -1,5 +1,13 @@ 2019-02-20 Alan Modra <amodra@gmail.com> + PR 24132 + PR 24138 + * readelf.c (get_data): Avoid possibility of overflow when + checking for a read that may extend past end of file. + (process_program_headers): Likewise. + +2019-02-20 Alan Modra <amodra@gmail.com> + PR 24233 * objdump.c (dump_bfd_private_header): Print warning if bfd_print_private_bfd_data returns false. diff --git a/binutils/readelf.c b/binutils/readelf.c index 77acc6a..3f424c4 100644 --- a/binutils/readelf.c +++ b/binutils/readelf.c @@ -398,10 +398,11 @@ get_data (void * var, return NULL; } - /* Be kind to memory chekers (eg valgrind, address sanitizer) by not + /* Be kind to memory checkers (eg valgrind, address sanitizer) by not attempting to allocate memory when the read is bound to fail. */ - if (amt > filedata->file_size - || offset + archive_file_offset + amt > filedata->file_size) + if (archive_file_offset > filedata->file_size + || offset > filedata->file_size - archive_file_offset + || amt > filedata->file_size - archive_file_offset - offset) { if (reason) error (_("Reading %s bytes extends past end of file for %s\n"), @@ -5235,7 +5236,8 @@ process_program_headers (Filedata * filedata) segment. Check this after matching against the section headers so we don't warn on debuginfo file (which have NOBITS .dynamic sections). */ - if (dynamic_addr + dynamic_size >= filedata->file_size) + if (dynamic_addr > filedata->file_size + || dynamic_size > filedata->file_size - dynamic_addr) { error (_("the dynamic segment offset + size exceeds the size of the file\n")); dynamic_addr = dynamic_size = 0; |