diff options
| author | Alan Modra <amodra@gmail.com> | 2022-10-07 10:23:05 +1030 |
|---|---|---|
| committer | Alan Modra <amodra@gmail.com> | 2022-10-07 12:30:28 +1030 |
| commit | ea4e4a19b7f6c192c307b5a37c67d141f3aea074 (patch) | |
| tree | 7428330c72d7adb92a9e32032ba7041c3c42d8b3 /bfd/peXXigen.c | |
| parent | fea044ba7b5ed9be93ce49b36188edbba7fcebb3 (diff) | |
| download | gdb-ea4e4a19b7f6c192c307b5a37c67d141f3aea074.zip gdb-ea4e4a19b7f6c192c307b5a37c67d141f3aea074.tar.gz gdb-ea4e4a19b7f6c192c307b5a37c67d141f3aea074.tar.bz2 | |
PR29653, objcopy/strip: fuzzed small input file induces large output file
_bfd_check_format functions should not print errors or warnings if
they return NULL. A NULL return means the particular target under
test does not match, so there isn't any reason to make a complaint
about the target. In fact there isn't a good reason to warn even if
the target matches, except via the _bfd_per_xvec_warn mechanism; Some
other target might be a better match.
This patch tidies pe_bfd_object_p with the above in mind, and
restricts the PE optional header SectionAlignment and FileAlignment
fields somewhat. I chose to warn on nonsense values rather than
refusing to match. Refusing to match would be OK too.
PR 29653
* peXXigen.c (_bfd_XXi_swap_aouthdr_in): Don't emit error about
invalid NumberOfRvaAndSizes here. Limit loop copying data
directory to IMAGE_NUMBEROF_DIRECTORY_ENTRIES.
* peicode.h (pe_bfd_object_p): Don't clear and test bfd_error
around bfd_coff_swap_aouthdr_in. Warn on invalid SectionAlignment,
FileAlignment and NumberOfRvaAndSizes. Don't return NULL on
invalid NumberOfRvaAndSizes.
Diffstat (limited to 'bfd/peXXigen.c')
| -rw-r--r-- | bfd/peXXigen.c | 55 |
1 files changed, 18 insertions, 37 deletions
diff --git a/bfd/peXXigen.c b/bfd/peXXigen.c index a7b8571..e74ed39 100644 --- a/bfd/peXXigen.c +++ b/bfd/peXXigen.c @@ -517,45 +517,26 @@ _bfd_XXi_swap_aouthdr_in (bfd * abfd, a->LoaderFlags = H_GET_32 (abfd, src->LoaderFlags); a->NumberOfRvaAndSizes = H_GET_32 (abfd, src->NumberOfRvaAndSizes); - { - unsigned idx; - - /* PR 17512: Corrupt PE binaries can cause seg-faults. */ - if (a->NumberOfRvaAndSizes > IMAGE_NUMBEROF_DIRECTORY_ENTRIES) - { - /* xgettext:c-format */ - _bfd_error_handler - (_("%pB: aout header specifies an invalid number of" - " data-directory entries: %u"), abfd, a->NumberOfRvaAndSizes); - bfd_set_error (bfd_error_bad_value); - - /* Paranoia: If the number is corrupt, then assume that the - actual entries themselves might be corrupt as well. */ - a->NumberOfRvaAndSizes = 0; - } - - for (idx = 0; idx < a->NumberOfRvaAndSizes; idx++) - { - /* If data directory is empty, rva also should be 0. */ - int size = - H_GET_32 (abfd, src->DataDirectory[idx][1]); - - a->DataDirectory[idx].Size = size; + /* PR 17512: Don't blindly trust NumberOfRvaAndSizes. */ + unsigned idx; + for (idx = 0; + idx < a->NumberOfRvaAndSizes && idx < IMAGE_NUMBEROF_DIRECTORY_ENTRIES; + idx++) + { + /* If data directory is empty, rva also should be 0. */ + int size = H_GET_32 (abfd, src->DataDirectory[idx][1]); + int vma = size ? H_GET_32 (abfd, src->DataDirectory[idx][0]) : 0; - if (size) - a->DataDirectory[idx].VirtualAddress = - H_GET_32 (abfd, src->DataDirectory[idx][0]); - else - a->DataDirectory[idx].VirtualAddress = 0; - } + a->DataDirectory[idx].Size = size; + a->DataDirectory[idx].VirtualAddress = vma; + } - while (idx < IMAGE_NUMBEROF_DIRECTORY_ENTRIES) - { - a->DataDirectory[idx].Size = 0; - a->DataDirectory[idx].VirtualAddress = 0; - idx ++; - } - } + while (idx < IMAGE_NUMBEROF_DIRECTORY_ENTRIES) + { + a->DataDirectory[idx].Size = 0; + a->DataDirectory[idx].VirtualAddress = 0; + idx++; + } if (aouthdr_int->entry) { |