diff options
| author | Nick Clifton <nickc@redhat.com> | 2019-02-28 14:30:20 +0000 |
|---|---|---|
| committer | Nick Clifton <nickc@redhat.com> | 2019-02-28 14:30:20 +0000 |
| commit | eed5def8d0b7b64c3592be75a9b22bb4ce1a78f4 (patch) | |
| tree | 53dc972a14e15ae73f4f9379ed117b8454f30c3b /bfd/elf.c | |
| parent | 9c4c331816b14d7020a8a15eed9dac5e5babdb0e (diff) | |
| download | gdb-eed5def8d0b7b64c3592be75a9b22bb4ce1a78f4.zip gdb-eed5def8d0b7b64c3592be75a9b22bb4ce1a78f4.tar.gz gdb-eed5def8d0b7b64c3592be75a9b22bb4ce1a78f4.tar.bz2 | |
Prevent a buffer overrun error when attempting to parse a corrupt ELF file.
PR 24273
* elf.c (bfd_elf_string_from_elf_section): Check for a string
section that is not NUL terminated.
Diffstat (limited to 'bfd/elf.c')
| -rw-r--r-- | bfd/elf.c | 12 |
1 files changed, 11 insertions, 1 deletions
@@ -351,6 +351,16 @@ bfd_elf_string_from_elf_section (bfd *abfd, if (bfd_elf_get_str_section (abfd, shindex) == NULL) return NULL; } + else + { + /* PR 24273: The string section's contents may have already + been loaded elsewhere, eg because a corrupt file has the + string section index in the ELF header pointing at a group + section. So be paranoid, and test that the last byte of + the section is zero. */ + if (hdr->sh_size == 0 || hdr->contents[hdr->sh_size - 1] != 0) + return NULL; + } if (strindex >= hdr->sh_size) { @@ -655,7 +665,7 @@ setup_group (bfd *abfd, Elf_Internal_Shdr *hdr, asection *newsect) BFD_ASSERT (sizeof (*dest) >= 4); amt = shdr->sh_size * sizeof (*dest) / 4; shdr->contents = (unsigned char *) - bfd_alloc2 (abfd, shdr->sh_size, sizeof (*dest) / 4); + bfd_alloc2 (abfd, shdr->sh_size, sizeof (*dest) / 4); /* PR binutils/4110: Handle corrupt group headers. */ if (shdr->contents == NULL) { |