Fix illegal memory access triggered when parsing a PE binary with a corrupt data dictionary.

PR 22373 * peicode.h (pe_bfd_read_buildid): Check for invalid size and data offset values.
2017-10-31 14:29:40 +00:00 · 2017-10-31 14:29:40 +00:00 · 0bb6961f18
parent 45ac8f4f10
commit 0bb6961f18
2 changed files with 12 additions and 3 deletions
--- a/bfd/ChangeLog
+++ b/bfd/ChangeLog
@ -1,3 +1,9 @@
+2017-10-31  Nick Clifton  <nickc@redhat.com>
+
+	PR 22373
+	* peicode.h (pe_bfd_read_buildid): Check for invalid size and data
+	offset values.
+
 2017-10-30  Alan Modra  <amodra@gmail.com>

 	* elf32-frv.c (ELF_TARGET_ID): Don't define for generic
--- a/bfd/peicode.h
+++ b/bfd/peicode.h
@ -1303,7 +1303,6 @@ pe_bfd_read_buildid (bfd *abfd)
  bfd_byte *data = 0;
  bfd_size_type dataoff;
  unsigned int i;
-
  bfd_vma addr = extra->DataDirectory[PE_DEBUG_DATA].VirtualAddress;
  bfd_size_type size = extra->DataDirectory[PE_DEBUG_DATA].Size;

@ -1327,8 +1326,12 @@ pe_bfd_read_buildid (bfd *abfd)

  dataoff = addr - section->vma;

-  /* PR 20605: Make sure that the data is really there.  */
-  if (dataoff + size > section->size)
+  /* PR 20605 and 22373: Make sure that the data is really there.
+     Note - since we are dealing with unsigned quantities we have
+     to be careful to check for potential overflows.  */
+  if (dataoff > section->size
+      || size > section->size
+      || dataoff + size > section->size)
    {
      _bfd_error_handler (_("%B: Error: Debug Data ends beyond end of debug directory."),
 			  abfd);