aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorNick Clifton <nickc@redhat.com>2017-04-13 16:06:30 +0100
committerNick Clifton <nickc@redhat.com>2017-04-13 16:06:30 +0100
commit7296a62a2a237f6b1ad8db8c38b090e9f592c8cf (patch)
treec5ea4ca4f74236e794f4b99f261de2fc46f935b2
parent1d15e434f43bc41a07bc7b0648fcb7e6ccbe8dcc (diff)
downloadgdb-7296a62a2a237f6b1ad8db8c38b090e9f592c8cf.zip
gdb-7296a62a2a237f6b1ad8db8c38b090e9f592c8cf.tar.gz
gdb-7296a62a2a237f6b1ad8db8c38b090e9f592c8cf.tar.bz2
readelf: fix out of range subtraction, seg fault from a NULL pointer and memory exhaustion, all from parsing corrupt binaries.
PR binutils/21379 * readelf.c (process_dynamic_section): Detect over large section offsets in the DT_SYMTAB entry. PR binutils/21345 * readelf.c (process_mips_specific): Catch an unfeasible memory allocation before it happens and print a suitable error message.
-rw-r--r--binutils/ChangeLog12
-rw-r--r--binutils/readelf.c26
2 files changed, 33 insertions, 5 deletions
diff --git a/binutils/ChangeLog b/binutils/ChangeLog
index ae734c4..5f75c17 100644
--- a/binutils/ChangeLog
+++ b/binutils/ChangeLog
@@ -1,5 +1,17 @@
2017-04-13 Nick Clifton <nickc@redhat.com>
+ PR binutils/21379
+ * readelf.c (process_dynamic_section): Detect over large section
+ offsets in the DT_SYMTAB entry.
+
+2017-04-13 Nick Clifton <nickc@redhat.com>
+
+ PR binutils/21345
+ * readelf.c (process_mips_specific): Catch an unfeasible memory
+ allocation before it happens and print a suitable error message.
+
+2017-04-13 Nick Clifton <nickc@redhat.com>
+
* objcopy.c: Add --no-merge-notes option to disable note merging.
Add --[no-]merge-notes option to strip, and enable it by default.
(num_bytes): New function.
diff --git a/binutils/readelf.c b/binutils/readelf.c
index 93b9402..ab53473 100644
--- a/binutils/readelf.c
+++ b/binutils/readelf.c
@@ -9436,6 +9436,12 @@ process_dynamic_section (FILE * file)
processing that. This is overkill, I know, but it
should work. */
section.sh_offset = offset_from_vma (file, entry->d_un.d_val, 0);
+ if ((bfd_size_type) section.sh_offset > current_file_size)
+ {
+ /* See PR 21379 for a reproducer. */
+ error (_("Invalid DT_SYMTAB entry: %lx"), (long) section.sh_offset);
+ return FALSE;
+ }
if (archive_file_offset != 0)
section.sh_size = archive_file_size - section.sh_offset;
@@ -15370,6 +15376,15 @@ process_mips_specific (FILE * file)
return FALSE;
}
+ /* PR 21345 - print a slightly more helpful error message
+ if we are sure that the cmalloc will fail. */
+ if (conflictsno * sizeof (* iconf) > current_file_size)
+ {
+ error (_("Overlarge number of conflicts detected: %lx\n"),
+ (long) conflictsno);
+ return FALSE;
+ }
+
iconf = (Elf32_Conflict *) cmalloc (conflictsno, sizeof (* iconf));
if (iconf == NULL)
{
@@ -16656,10 +16671,11 @@ print_symbol_for_build_attribute (FILE * file,
static unsigned long strtablen;
static Elf_Internal_Sym * symtab;
static unsigned long nsyms;
- Elf_Internal_Sym * saved_sym = NULL;
- Elf_Internal_Sym * sym;
+ Elf_Internal_Sym * saved_sym = NULL;
+ Elf_Internal_Sym * sym;
- if (saved_file == NULL || file != saved_file)
+ if (section_headers != NULL
+ && (saved_file == NULL || file != saved_file))
{
Elf_Internal_Shdr * symsec;
@@ -16822,7 +16838,7 @@ print_gnu_build_attribute_name (Elf_Internal_Note * pnote)
if (name == NULL || pnote->namesz < 2)
{
error (_("corrupt name field in GNU build attribute note: size = %ld\n"), pnote->namesz);
- print_symbol (-20, _(" <corrupt name field>"));
+ print_symbol (-20, _(" <corrupt name>"));
return FALSE;
}
@@ -17452,7 +17468,7 @@ process_arch_specific (FILE * file)
return process_mips_specific (file);
case EM_MSP430:
- return process_attributes (file, "mspabi", SHT_MSP430_ATTRIBUTES,
+ return process_attributes (file, "mspabi", SHT_MSP430_ATTRIBUTES,
display_msp430x_attribute,
display_generic_attribute);