Fix an illegal memory access triggered when trying to examine an input file containing corrupt compressed sections.

	PR 25221
	* bfd.c (bfd_convert_section_contents): Check for a compress
	header size that is larger than the actual section size.

1 files changed, 14 insertions, 2 deletions

diff --git a/bfd/bfd.c b/bfd/bfd.c
index d590e0a..b105062 100644
--- a/bfd/bfd.c
+++ b/bfd/bfd.c
@@ -2768,7 +2768,7 @@ bfd_convert_section_contents (bfd *ibfd, sec_ptr isec, bfd *obfd,
       || bfd_get_flavour (obfd) != bfd_target_elf_flavour)
     return TRUE;
 
-  /* Do nothing if ELF classes of input and output are the same. */
+  /* Do nothing if ELF classes of input and output are the same.  */
   if (get_elf_backend_data (ibfd)->s->elfclass
       == get_elf_backend_data (obfd)->s->elfclass)
     return TRUE;
@@ -2782,11 +2782,17 @@ bfd_convert_section_contents (bfd *ibfd, sec_ptr isec, bfd *obfd,
   if ((ibfd->flags & BFD_DECOMPRESS))
     return TRUE;
 
-  /* Do nothing if the input section isn't a SHF_COMPRESSED section. */
+  /* Do nothing if the input section isn't a SHF_COMPRESSED section.  */
   ihdr_size = bfd_get_compression_header_size (ibfd, isec);
   if (ihdr_size == 0)
     return TRUE;
 
+  /* PR 25221.  Check for corrupt input sections.  */
+  if (ihdr_size > bfd_get_section_limit (ibfd, isec))
+    /* FIXME: Issue a warning about a corrupt
+       compression header size field ?  */
+    return FALSE;
+
   contents = *ptr;
 
   /* Convert the contents of the input SHF_COMPRESSED section to
@@ -2803,6 +2809,12 @@ bfd_convert_section_contents (bfd *ibfd, sec_ptr isec, bfd *obfd,
 
       use_memmove = FALSE;
     }
+  else if (ihdr_size != sizeof (Elf64_External_Chdr))
+    {
+      /* FIXME: Issue a warning about a corrupt
+	 compression header size field ?  */
+      return FALSE;
+    }
   else
     {
       Elf64_External_Chdr *echdr = (Elf64_External_Chdr *) contents;