From 0bb6961f18b8e832d88b490d421ca56cea16c45b Mon Sep 17 00:00:00 2001
From: Nick Clifton <nickc@redhat.com>
Date: Tue, 31 Oct 2017 14:29:40 +0000
Subject: Fix illegal memory access triggered when parsing a PE binary with a
 corrupt data dictionary.

	PR 22373
	* peicode.h (pe_bfd_read_buildid): Check for invalid size and data
	offset values.
---
 bfd/peicode.h | 9 ++++++---
 1 file changed, 6 insertions(+), 3 deletions(-)

(limited to 'bfd/peicode.h')

diff --git a/bfd/peicode.h b/bfd/peicode.h
index 2dffb12..f3b759c 100644
--- a/bfd/peicode.h
+++ b/bfd/peicode.h
@@ -1303,7 +1303,6 @@ pe_bfd_read_buildid (bfd *abfd)
   bfd_byte *data = 0;
   bfd_size_type dataoff;
   unsigned int i;
-
   bfd_vma addr = extra->DataDirectory[PE_DEBUG_DATA].VirtualAddress;
   bfd_size_type size = extra->DataDirectory[PE_DEBUG_DATA].Size;
 
@@ -1327,8 +1326,12 @@ pe_bfd_read_buildid (bfd *abfd)
 
   dataoff = addr - section->vma;
 
-  /* PR 20605: Make sure that the data is really there.  */
-  if (dataoff + size > section->size)
+  /* PR 20605 and 22373: Make sure that the data is really there.
+     Note - since we are dealing with unsigned quantities we have
+     to be careful to check for potential overflows.  */
+  if (dataoff > section->size
+      || size > section->size
+      || dataoff + size > section->size)
     {
       _bfd_error_handler (_("%B: Error: Debug Data ends beyond end of debug directory."),
 			  abfd);
-- 
cgit v1.1