PR22552, readelf heap buffer overflow in load_debug_section

PR 22552 * readelf.c (process_file_header): Don't assume XINDEX case value for e_shstrndx is within bounds. (load_debug_section): Sanity test e_shstrndx before attempting to read .shstrtab. Wrap long lines.
2017-12-06 17:32:48 +10:30 · 2017-12-06 17:32:48 +10:30 · 9c1ce10850
commit 9c1ce10850
parent 07d6d2b834
2 changed files with 17 additions and 6 deletions
--- a/binutils/ChangeLog
+++ b/binutils/ChangeLog
@ -1,3 +1,11 @@
 2017-12-06  Alan Modra  <amodra@gmail.com>
 	PR 22552
 	* readelf.c (process_file_header): Don't assume XINDEX case
 	value for e_shstrndx is within bounds.
 	(load_debug_section): Sanity test e_shstrndx before attempting
 	to read .shstrtab.  Wrap long lines.
 2017-12-01  Oleksandr Pikozh  <o.pikozh@gmail.com>
 	* doc/binutils.texi: Add --strip-unneeded to objcopy synopsis.
--- a/binutils/readelf.c
+++ b/binutils/readelf.c
@ -4761,7 +4761,7 @@ process_file_header (Filedata * filedata)
 	header->e_shnum = filedata->section_headers[0].sh_size;
      if (header->e_shstrndx == (SHN_XINDEX & 0xffff))
 	header->e_shstrndx = filedata->section_headers[0].sh_link;
-      else if (header->e_shstrndx >= header->e_shnum)
+      if (header->e_shstrndx >= header->e_shnum)
 	header->e_shstrndx = SHN_UNDEF;
      free (filedata->section_headers);
      filedata->section_headers = NULL;
@ -13578,7 +13578,9 @@ load_debug_section (enum dwarf_section_display_enum debug, void * data)
  if (filedata->section_headers == NULL)
    return FALSE;
-  if (filedata->string_table == NULL)
+  if (filedata->string_table == NULL
      && filedata->file_header.e_shstrndx != SHN_UNDEF
      && filedata->file_header.e_shstrndx < filedata->file_header.e_shnum)
    {
      Elf_Internal_Shdr * strs;
@ -13587,11 +13589,12 @@ load_debug_section (enum dwarf_section_display_enum debug, void * data)
      if (strs != NULL && strs->sh_size != 0)
 	{
-	  filedata->string_table = (char *) get_data (NULL, filedata, strs->sh_offset,
+	  filedata->string_table
-						      1, strs->sh_size,
+	    = (char *) get_data (NULL, filedata, strs->sh_offset,
-						      _("string table"));
+				 1, strs->sh_size, _("string table"));
-	  filedata->string_table_length = filedata->string_table != NULL ? strs->sh_size : 0;
+	  filedata->string_table_length
 	    = filedata->string_table != NULL ? strs->sh_size : 0;
 	}
    }