diff options
author | Alan Modra <amodra@gmail.com> | 2015-12-07 13:41:36 +1030 |
---|---|---|
committer | Alan Modra <amodra@gmail.com> | 2015-12-07 13:42:23 +1030 |
commit | c20f6f63eda61348326a861a155716b8d9073307 (patch) | |
tree | a4d1423c4858d8807105ab85a8126f0ed2c7844d | |
parent | 549dba71045c856f3d169bf2edc7bfc7cabe5a0b (diff) | |
download | gdb-c20f6f63eda61348326a861a155716b8d9073307.zip gdb-c20f6f63eda61348326a861a155716b8d9073307.tar.gz gdb-c20f6f63eda61348326a861a155716b8d9073307.tar.bz2 |
PR19323 memory allocation greater than 4G
On 32-bit targets, memory requested for program/section headers on a
fuzzed binary can wrap to 0. A bfd_alloc of zero bytes actually
returns a one byte allocation rather than a NULL pointer. This then
leads to buffer overflows.
Making this check unconditional triggers an extremely annoying gcc-5
warning.
PR19323
* elfcode.h (elf_object_p): Check for ridiculous e_shnum and
e_phnum values.
-rw-r--r-- | bfd/ChangeLog | 6 | ||||
-rw-r--r-- | bfd/elfcode.h | 10 |
2 files changed, 15 insertions, 1 deletions
diff --git a/bfd/ChangeLog b/bfd/ChangeLog index 0a92044..710b790 100644 --- a/bfd/ChangeLog +++ b/bfd/ChangeLog @@ -1,5 +1,11 @@ 2015-12-07 Alan Modra <amodra@gmail.com> + PR19323 + * elfcode.h (elf_object_p): Check for ridiculous e_shnum and + e_phnum values. + +2015-12-07 Alan Modra <amodra@gmail.com> + * reloc.c (BFD_RELOC_PPC64_ENTRY): New. * elf64-ppc.c (reloc_howto_type ppc64_elf_howto_raw): Add entry for R_PPC64_ENTRY. diff --git a/bfd/elfcode.h b/bfd/elfcode.h index 26af1d1..915c8d5 100644 --- a/bfd/elfcode.h +++ b/bfd/elfcode.h @@ -676,6 +676,10 @@ elf_object_p (bfd *abfd) Elf_Internal_Shdr *shdrp; unsigned int num_sec; +#ifndef BFD64 + if (i_ehdrp->e_shnum > ((bfd_size_type) -1) / sizeof (*i_shdrp)) + goto got_wrong_format_error; +#endif amt = sizeof (*i_shdrp) * i_ehdrp->e_shnum; i_shdrp = (Elf_Internal_Shdr *) bfd_alloc (abfd, amt); if (!i_shdrp) @@ -766,7 +770,11 @@ elf_object_p (bfd *abfd) Elf_Internal_Phdr *i_phdr; unsigned int i; - amt = i_ehdrp->e_phnum * sizeof (Elf_Internal_Phdr); +#ifndef BFD64 + if (i_ehdrp->e_phnum > ((bfd_size_type) -1) / sizeof (*i_phdr)) + goto got_wrong_format_error; +#endif + amt = i_ehdrp->e_phnum * sizeof (*i_phdr); elf_tdata (abfd)->phdr = (Elf_Internal_Phdr *) bfd_alloc (abfd, amt); if (elf_tdata (abfd)->phdr == NULL) goto got_no_match; |