Fix a possible integer overflow problem when examining corrupt binaries using a 32-bit binutil.

PR 24005 * objdump.c (load_specific_debug_section): Check for integer overflow before attempting to allocate contents.
2019-01-04 13:44:34 +00:00 · 2019-01-04 13:44:34 +00:00 · 11fa9f134f
parent cf0ad5bbf2
commit 11fa9f134f
2 changed files with 17 additions and 3 deletions
--- a/binutils/ChangeLog
+++ b/binutils/ChangeLog
@ -1,3 +1,9 @@
+2019-01-04  Nick Clifton  <nickc@redhat.com>
+
+	PR 24005
+	* objdump.c (load_specific_debug_section): Check for integer
+	overflow before attempting to allocate contents.
+
 2019-01-04  Nick Clifton  <nickc@redhat.com>

 	PR 24001
@ -6,6 +12,7 @@
 	* objdump.c (dump_bfd): Free dhandle after printing out the debug
 	information.

+
 2019-01-01  Alan Modra  <amodra@gmail.com>

 	Update year range in copyright notice of all files.
--- a/binutils/objdump.c
+++ b/binutils/objdump.c
@ -2539,12 +2539,19 @@ load_specific_debug_section (enum dwarf_section_display_enum debug,
  section->reloc_info = NULL;
  section->num_relocs = 0;
  section->address = bfd_get_section_vma (abfd, sec);
+  section->user_data = sec;
  section->size = bfd_get_section_size (sec);
  amt = section->size + 1;
+  if (amt == 0 || amt > bfd_get_file_size (abfd))
+    {
+      section->start = NULL;
+      free_debug_section (debug);
+      printf (_("\nSection '%s' has an invalid size: %#llx.\n"),
+	      section->name, (unsigned long long) section->size);
+      return FALSE;
+    }
  section->start = contents = malloc (amt);
-  section->user_data = sec;
-  if (amt == 0
-      || section->start == NULL
+  if (section->start == NULL
      || !bfd_get_full_section_contents (abfd, sec, &contents))
    {
      free_debug_section (debug);