From 6cee897971d4d7cd37d2a686bb6d2aa3e759c8ca Mon Sep 17 00:00:00 2001 From: Nick Clifton Date: Fri, 3 Nov 2017 11:55:21 +0000 Subject: Fix excessive memory allocation attempts and possible integer overfloaws when attempting to read a COFF binary with a corrupt symbol count. PR 22385 * coffgen.c (_bfd_coff_get_external_symbols): Check for an overlarge raw syment count. (coff_get_normalized_symtab): Likewise. --- bfd/ChangeLog | 8 ++++++++ bfd/coffgen.c | 17 +++++++++++++++-- 2 files changed, 23 insertions(+), 2 deletions(-) diff --git a/bfd/ChangeLog b/bfd/ChangeLog index b8cddd5..e857d2e 100644 --- a/bfd/ChangeLog +++ b/bfd/ChangeLog @@ -1,3 +1,11 @@ +2017-11-03 Mingi Cho + Nick Clifton + + PR 22385 + * coffgen.c (_bfd_coff_get_external_symbols): Check for an + overlarge raw syment count. + (coff_get_normalized_symtab): Likewise. + 2017-11-01 James Bowman * archures.c: Add bfd_mach_ft32b. diff --git a/bfd/coffgen.c b/bfd/coffgen.c index 98363d0..81efd9b 100644 --- a/bfd/coffgen.c +++ b/bfd/coffgen.c @@ -1640,13 +1640,23 @@ _bfd_coff_get_external_symbols (bfd *abfd) size = obj_raw_syment_count (abfd) * symesz; if (size == 0) return TRUE; + /* Check for integer overflow and for unreasonable symbol counts. */ + if (size < obj_raw_syment_count (abfd) + || (bfd_get_file_size (abfd) > 0 + && size > bfd_get_file_size (abfd))) + + { + _bfd_error_handler (_("%B: corrupt symbol count: %#Lx"), + abfd, obj_raw_syment_count (abfd)); + return FALSE; + } syms = bfd_malloc (size); if (syms == NULL) { /* PR 21013: Provide an error message when the alloc fails. */ - _bfd_error_handler (_("%B: Not enough memory to allocate space for %Lu symbols"), - abfd, size); + _bfd_error_handler (_("%B: not enough memory to allocate space for %#Lx symbols of size %#Lx"), + abfd, obj_raw_syment_count (abfd), symesz); return FALSE; } @@ -1794,6 +1804,9 @@ coff_get_normalized_symtab (bfd *abfd) return NULL; size = obj_raw_syment_count (abfd) * sizeof (combined_entry_type); + /* Check for integer overflow. */ + if (size < obj_raw_syment_count (abfd)) + return NULL; internal = (combined_entry_type *) bfd_zalloc (abfd, size); if (internal == NULL && size != 0) return NULL; -- cgit v1.1