From e9847026c92f330f18863a7b9cb0aaa299345559 Mon Sep 17 00:00:00 2001 From: Nick Clifton Date: Thu, 6 Mar 2014 10:57:13 +0000 Subject: Patch for PR binutils/16664 which triggers a seg-fault when attempting to display the contents of a corrupt attribute section. * readelf.c (process_attributes): Add checks for corrupt attribute section names. * elf-attrs.c (_bfd_elf_parse_attributes): Add checks for corrupt attribute section names. --- bfd/ChangeLog | 6 ++++++ bfd/elf-attrs.c | 9 ++++++--- 2 files changed, 12 insertions(+), 3 deletions(-) (limited to 'bfd') diff --git a/bfd/ChangeLog b/bfd/ChangeLog index 9e60287..253e061 100644 --- a/bfd/ChangeLog +++ b/bfd/ChangeLog @@ -1,3 +1,9 @@ +2014-03-06 Nick Clifton + + PR 16664 + * elf-attrs.c (_bfd_elf_parse_attributes): Add checks for corrupt + attribute section names. + 2014-03-05 Alan Modra Update copyright years. diff --git a/bfd/elf-attrs.c b/bfd/elf-attrs.c index d2ef769..cd0cbca 100644 --- a/bfd/elf-attrs.c +++ b/bfd/elf-attrs.c @@ -449,7 +449,7 @@ _bfd_elf_parse_attributes (bfd *abfd, Elf_Internal_Shdr * hdr) len = hdr->sh_size - 1; while (len > 0) { - int namelen; + unsigned namelen; bfd_vma section_len; int vendor; @@ -458,8 +458,11 @@ _bfd_elf_parse_attributes (bfd *abfd, Elf_Internal_Shdr * hdr) if (section_len > len) section_len = len; len -= section_len; - namelen = strlen ((char *) p) + 1; - section_len -= namelen + 4; + section_len -= 4; + namelen = strnlen ((char *) p, section_len) + 1; + if (namelen == 0 || namelen >= section_len) + break; + section_len -= namelen; if (std_sec && strcmp ((char *) p, std_sec) == 0) vendor = OBJ_ATTR_PROC; else if (strcmp ((char *) p, "gnu") == 0) -- cgit v1.1