Fix seg fault objdumping a corrupt binary with an invalid sh_link field.

PR binutils/20063 * elf.c (bfd_elf_get_elf_syms): Check for out of range sh_link field before accessing sections array. * readelf.c (get_32bit_section_headers): Warn if an out of range sh_link or sh_info field is encountered. (get_64bit_section_headers): Likewise.
2016-05-09 17:31:07 +01:00 · 2016-05-09 17:31:07 +01:00 · 315350be65
parent 9239bbd3a6
commit 315350be65
4 changed files with 32 additions and 5 deletions
--- a/bfd/ChangeLog
+++ b/bfd/ChangeLog
@ -1,3 +1,9 @@
+2016-05-09  Nick Clifton  <nickc@redhat.com>
+
+	PR binutils/20063
+	* elf.c (bfd_elf_get_elf_syms): Check for out of range sh_link
+	field before accessing sections array.
+
 2016-05-09  Christophe Monat  <christophe.monat@st.com>

 	PR ld/20030
--- a/bfd/elf.c
+++ b/bfd/elf.c
@ -407,11 +407,17 @@ bfd_elf_get_elf_syms (bfd *ibfd,

      /* Find an index section that is linked to this symtab section.  */
      for (entry = elf_symtab_shndx_list (ibfd); entry != NULL; entry = entry->next)
-	if (sections[entry->hdr.sh_link] == symtab_hdr)
-	  {
-	    shndx_hdr = & entry->hdr;
-	    break;
-	  };
+	{
+	  /* PR 20063.  */
+	  if (entry->hdr.sh_link >= elf_numsections (ibfd))
+	    continue;
+
+	  if (sections[entry->hdr.sh_link] == symtab_hdr)
+	    {
+	      shndx_hdr = & entry->hdr;
+	      break;
+	    };
+	}

      if (shndx_hdr == NULL)
 	{
--- a/binutils/ChangeLog
+++ b/binutils/ChangeLog
@ -1,3 +1,10 @@
+2016-05-09  Nick Clifton  <nickc@redhat.com>
+
+	PR binutils/20063
+	* readelf.c (get_32bit_section_headers): Warn if an out of range
+	sh_link or sh_info field is encountered.
+	(get_64bit_section_headers): Likewise.
+
 2016-05-04  Senthil Kumar Selvaraj  <senthil_kumar.selvaraj@atmel.com>

 	* testsuite/lib/binutils-common.exp (is_elf_format): Add avr-*-*.
--- a/binutils/readelf.c
+++ b/binutils/readelf.c
@ -5059,6 +5059,10 @@ get_32bit_section_headers (FILE * file, bfd_boolean probe)
      internal->sh_info      = BYTE_GET (shdrs[i].sh_info);
      internal->sh_addralign = BYTE_GET (shdrs[i].sh_addralign);
      internal->sh_entsize   = BYTE_GET (shdrs[i].sh_entsize);
+      if (!probe && internal->sh_link > num)
+	warn (_("Section %u has an out of range sh_link value of %u\n"), i, internal->sh_link);
+      if (!probe && internal->sh_flags & SHF_INFO_LINK && internal->sh_info > num)
+	warn (_("Section %u has an out of range sh_info value of %u\n"), i, internal->sh_info);
    }

  free (shdrs);
@ -5117,6 +5121,10 @@ get_64bit_section_headers (FILE * file, bfd_boolean probe)
      internal->sh_info      = BYTE_GET (shdrs[i].sh_info);
      internal->sh_offset    = BYTE_GET (shdrs[i].sh_offset);
      internal->sh_addralign = BYTE_GET (shdrs[i].sh_addralign);
+      if (!probe && internal->sh_link > num)
+	warn (_("Section %u has an out of range sh_link value of %u\n"), i, internal->sh_link);
+      if (!probe && internal->sh_flags & SHF_INFO_LINK && internal->sh_info > num)
+	warn (_("Section %u has an out of range sh_info value of %u\n"), i, internal->sh_info);
    }

  free (shdrs);