diff options
| author | Alan Modra <amodra@gmail.com> | 2020-08-12 20:18:43 +0930 |
|---|---|---|
| committer | Alan Modra <amodra@gmail.com> | 2020-08-13 08:09:08 +0930 |
| commit | 75e100a30d5dfdd3ac2b0391c17173645fc77633 (patch) | |
| tree | a5543e1a6a43b603bc654afe5b81edcf8959b1a9 /bfd/elfcode.h | |
| parent | 6d8a0a5e90936d4bea9bf1ce9b4e1c22d9aaccae (diff) | |
| download | gdb-75e100a30d5dfdd3ac2b0391c17173645fc77633.zip gdb-75e100a30d5dfdd3ac2b0391c17173645fc77633.tar.gz gdb-75e100a30d5dfdd3ac2b0391c17173645fc77633.tar.bz2 | |
PR26348, Malloc error in write_zeros
This adds a few more sanity checks on ELF objects, and a BFD flag to
disable objcopy and strip when fuzzed input files belong in the "too
hard" basket.
bfd/
PR 26348
* bfd.c (struct bfd): Add read_only.
* elfcode.h (elf_swap_shdr_in): Test both sh_offset and sh_size.
Set read_only on warning.
(elf_object_p): Sanity check program header alignment. Set
read_only on warning.
* bfd-in2.h: Regenerate.
binutils/
PR 26348
* objcopy.c (copy_object): Report file name with endian error.
Error and return on abfd->read_only.
Diffstat (limited to 'bfd/elfcode.h')
| -rw-r--r-- | bfd/elfcode.h | 22 |
1 files changed, 17 insertions, 5 deletions
diff --git a/bfd/elfcode.h b/bfd/elfcode.h index 2e2c534..84b08b5 100644 --- a/bfd/elfcode.h +++ b/bfd/elfcode.h @@ -321,11 +321,14 @@ elf_swap_shdr_in (bfd *abfd, { ufile_ptr filesize = bfd_get_file_size (abfd); - if (filesize != 0 && dst->sh_size > filesize) - _bfd_error_handler - (_("warning: %pB has a corrupt section with a size (%" - BFD_VMA_FMT "x) larger than the file size"), - abfd, dst->sh_size); + if (filesize != 0 + && ((ufile_ptr) dst->sh_offset > filesize + || dst->sh_size > filesize - dst->sh_offset)) + { + abfd->read_only = 1; + _bfd_error_handler (_("warning: %pB has a section " + "extending past end of file"), abfd); + } } dst->sh_link = H_GET_32 (abfd, src->sh_link); dst->sh_info = H_GET_32 (abfd, src->sh_info); @@ -764,6 +767,7 @@ elf_object_p (bfd *abfd) So we are kind, and reset the string index value to 0 so that at least some processing can be done. */ i_ehdrp->e_shstrndx = SHN_UNDEF; + abfd->read_only = 1; _bfd_error_handler (_("warning: %pB has a corrupt string table index - ignoring"), abfd); @@ -804,6 +808,14 @@ elf_object_p (bfd *abfd) if (bfd_bread (&x_phdr, sizeof x_phdr, abfd) != sizeof x_phdr) goto got_no_match; elf_swap_phdr_in (abfd, &x_phdr, i_phdr); + /* Too much code in BFD relies on alignment being a power of + two, as required by the ELF spec. */ + if (i_phdr->p_align != (i_phdr->p_align & -i_phdr->p_align)) + { + abfd->read_only = 1; + _bfd_error_handler (_("warning: %pB has a program header " + "with invalid alignment"), abfd); + } } } |