From 4d5acb1ea570f04f8020338bad6918dfe76b785c Mon Sep 17 00:00:00 2001 From: Alan Modra <amodra@gmail.com> Date: Mon, 11 May 2020 18:00:31 +0930 Subject: PR25961, buffer overflow in coff_swap_aux_in PR 25961 * coffgen.c (coff_get_normalized_symtab): Check that buffer contains required number of auxents before processing any auxent. * coffswap.h (coff_swap_aux_in <C_FILE>): Only swap in extended file name from auxents for PE. --- bfd/ChangeLog | 8 ++++++++ bfd/coffgen.c | 14 +++++++------- bfd/coffswap.h | 2 +- 3 files changed, 16 insertions(+), 8 deletions(-) diff --git a/bfd/ChangeLog b/bfd/ChangeLog index 19ecf89..38ff455 100644 --- a/bfd/ChangeLog +++ b/bfd/ChangeLog @@ -1,3 +1,11 @@ +2020-05-11 Alan Modra <amodra@gmail.com> + + PR 25961 + * coffgen.c (coff_get_normalized_symtab): Check that buffer + contains required number of auxents before processing any auxent. + * coffswap.h (coff_swap_aux_in <C_FILE>): Only swap in extended + file name from auxents for PE. + 2020-05-04 Gunther Nikl <gnikl@justmail.de> * aout-cris.c (DEFAULT_ARCH): Delete define. diff --git a/bfd/coffgen.c b/bfd/coffgen.c index 6d84d51..96140e0 100644 --- a/bfd/coffgen.c +++ b/bfd/coffgen.c @@ -1818,6 +1818,13 @@ coff_get_normalized_symtab (bfd *abfd) symbol_ptr = internal_ptr; internal_ptr->is_sym = TRUE; + /* PR 17512: Prevent buffer overrun. */ + if (symbol_ptr->u.syment.n_numaux > (raw_end - raw_src) / symesz) + { + bfd_release (abfd, internal); + return NULL; + } + for (i = 0; i < symbol_ptr->u.syment.n_numaux; i++) @@ -1825,13 +1832,6 @@ coff_get_normalized_symtab (bfd *abfd) internal_ptr++; raw_src += symesz; - /* PR 17512: Prevent buffer overrun. */ - if (raw_src >= raw_end || internal_ptr >= internal_end) - { - bfd_release (abfd, internal); - return NULL; - } - bfd_coff_swap_aux_in (abfd, (void *) raw_src, symbol_ptr->u.syment.n_type, symbol_ptr->u.syment.n_sclass, diff --git a/bfd/coffswap.h b/bfd/coffswap.h index 7c0be22..f75001e 100644 --- a/bfd/coffswap.h +++ b/bfd/coffswap.h @@ -399,7 +399,7 @@ coff_swap_aux_in (bfd *abfd, #if FILNMLEN != E_FILNMLEN #error we need to cope with truncating or extending FILNMLEN #else - if (numaux > 1) + if (numaux > 1 && coff_data (abfd)->pe) { if (indx == 0) memcpy (in->x_file.x_fname, ext->x_file.x_fname, -- cgit v1.1