From 11fa9f134fd658075c6f74499c780df045d9e9ca Mon Sep 17 00:00:00 2001 From: Nick Clifton Date: Fri, 4 Jan 2019 13:44:34 +0000 Subject: [PATCH] Fix a possible integer overflow problem when examining corrupt binaries using a 32-bit binutil. PR 24005 * objdump.c (load_specific_debug_section): Check for integer overflow before attempting to allocate contents. --- binutils/ChangeLog | 7 +++++++ binutils/objdump.c | 13 ++++++++++--- 2 files changed, 17 insertions(+), 3 deletions(-) diff --git a/binutils/ChangeLog b/binutils/ChangeLog index c1b2d0b995..9fef84b665 100644 --- a/binutils/ChangeLog +++ b/binutils/ChangeLog @@ -1,3 +1,9 @@ +2019-01-04 Nick Clifton + + PR 24005 + * objdump.c (load_specific_debug_section): Check for integer + overflow before attempting to allocate contents. + 2019-01-04 Nick Clifton PR 24001 @@ -6,6 +12,7 @@ * objdump.c (dump_bfd): Free dhandle after printing out the debug information. + 2019-01-01 Alan Modra Update year range in copyright notice of all files. diff --git a/binutils/objdump.c b/binutils/objdump.c index 220d93a325..f1e6d2eb94 100644 --- a/binutils/objdump.c +++ b/binutils/objdump.c @@ -2539,12 +2539,19 @@ load_specific_debug_section (enum dwarf_section_display_enum debug, section->reloc_info = NULL; section->num_relocs = 0; section->address = bfd_get_section_vma (abfd, sec); + section->user_data = sec; section->size = bfd_get_section_size (sec); amt = section->size + 1; + if (amt == 0 || amt > bfd_get_file_size (abfd)) + { + section->start = NULL; + free_debug_section (debug); + printf (_("\nSection '%s' has an invalid size: %#llx.\n"), + section->name, (unsigned long long) section->size); + return FALSE; + } section->start = contents = malloc (amt); - section->user_data = sec; - if (amt == 0 - || section->start == NULL + if (section->start == NULL || !bfd_get_full_section_contents (abfd, sec, &contents)) { free_debug_section (debug);