From f64e188b58f4aab4cbd03aa6e9fc1aa602546e26 Mon Sep 17 00:00:00 2001
From: Nick Clifton <nickc@redhat.com>
Date: Tue, 9 Dec 2014 12:42:18 +0000
Subject: More fixes for memory access violations triggered by fuzzed binaries.

	PR binutils/17512
	* objdump.c (display_any_bfd): Avoid infinite loop closing and
	opening the same archive again and again.

	* archive64.c (bfd_elf64_archive_slurp_armap): Add range checks.
	* libbfd.c (safe_read_leb128): New function.
	* libbfd-in.h (safe_read_leb128): Add prototype.
	* libbfd.h: Regenerate.
	* elf-attrs.c (_bfd_elf_parse_attributes): Use safe_read_leb128.
	Check for an over-long subsection length.
	* elf.c (elf_parse_notes): Check that the namedata is long enough
	for the string comparison that is about to be performed.
	(elf_read_notes): Zero-terminate the note buffer.
---
 bfd/elf.c | 53 +++++++++++++++++++++++++++++------------------------
 1 file changed, 29 insertions(+), 24 deletions(-)

(limited to 'bfd/elf.c')

diff --git a/bfd/elf.c b/bfd/elf.c
index 405ec33..f6923b4 100644
--- a/bfd/elf.c
+++ b/bfd/elf.c
@@ -9817,32 +9817,33 @@ elf_parse_notes (bfd *abfd, char *buf, size_t size, file_ptr offset)
 	  return TRUE;
 
 	case bfd_core:
-	  if (CONST_STRNEQ (in.namedata, "NetBSD-CORE"))
-	    {
-	      if (! elfcore_grok_netbsd_note (abfd, &in))
-		return FALSE;
-	    }
-	  else if (CONST_STRNEQ (in.namedata, "OpenBSD"))
-	    {
-	      if (! elfcore_grok_openbsd_note (abfd, &in))
-		return FALSE;
-	    }
-	  else if (CONST_STRNEQ (in.namedata, "QNX"))
+	  {
+	    struct
 	    {
-	      if (! elfcore_grok_nto_note (abfd, &in))
-		return FALSE;
+	      const char * string;
+	      bfd_boolean (* func)(bfd *, Elf_Internal_Note *);
 	    }
-	  else if (CONST_STRNEQ (in.namedata, "SPU/"))
+	    grokers[] =
 	    {
-	      if (! elfcore_grok_spu_note (abfd, &in))
-		return FALSE;
-	    }
-	  else
-	    {
-	      if (! elfcore_grok_note (abfd, &in))
-		return FALSE;
-	    }
-	  break;
+	      { "", elfcore_grok_note },
+	      { "NetBSD-CORE", elfcore_grok_netbsd_note },
+	      { "OpenBSD", elfcore_grok_openbsd_note },
+	      { "QNX", elfcore_grok_nto_note },
+	      { "SPU/", elfcore_grok_spu_note }
+	    };
+	    int i;
+
+	    for (i = ARRAY_SIZE (grokers); i--;)
+	      if (in.namesz >= sizeof grokers[i].string - 1
+		  && strncmp (in.namedata, grokers[i].string,
+			      sizeof (grokers[i].string) - 1) == 0)
+		{
+		  if (! grokers[i].func (abfd, & in))
+		    return FALSE;
+		  break;
+		}
+	    break;
+	  }
 
 	case bfd_object:
 	  if (in.namesz == sizeof "GNU" && strcmp (in.namedata, "GNU") == 0)
@@ -9876,10 +9877,14 @@ elf_read_notes (bfd *abfd, file_ptr offset, bfd_size_type size)
   if (bfd_seek (abfd, offset, SEEK_SET) != 0)
     return FALSE;
 
-  buf = (char *) bfd_malloc (size);
+  buf = (char *) bfd_malloc (size + 1);
   if (buf == NULL)
     return FALSE;
 
+  /* PR 17512: file: ec08f814
+     0-termintate the buffer so that string searches will not overflow.  */
+  buf[size] = 0;
+
   if (bfd_bread (buf, size, abfd) != size
       || !elf_parse_notes (abfd, buf, size, offset))
     {
-- 
cgit v1.1