More fixes for memory problems uncovered by file fuzzers.

PR binutils/17512 * coffcode.h (handle_COMDAT): Replace abort with BFD_ASSERT. Replace another abort with an error message. (coff_slurp_line_table): Add more range checking. * peXXigen.c (pe_print_debugdata): Add range checking.
2014-11-05 17:57:54 +00:00 · 2014-11-05 17:57:54 +00:00 · a6f921c877
parent 74e1a04b97
commit a6f921c877
3 changed files with 28 additions and 7 deletions
--- a/bfd/ChangeLog
+++ b/bfd/ChangeLog
@ -1,3 +1,11 @@
+2014-11-04  Nick Clifton  <nickc@redhat.com>
+
+	PR binutils/17512
+	* coffcode.h (handle_COMDAT): Replace abort with BFD_ASSERT.
+	Replace another abort with an error message.
+	(coff_slurp_line_table): Add more range checking.
+	* peXXigen.c (pe_print_debugdata): Add range checking.
+
 2014-11-05  James Cowgill  <james.cowgill@imgtec.com>

 	* elfxx-mips.c (_bfd_mips_elf_finish_dynamic_sections): Fix segfault
--- a/bfd/coffcode.h
+++ b/bfd/coffcode.h
@ -928,12 +928,7 @@ handle_COMDAT (bfd * abfd,

      bfd_coff_swap_sym_in (abfd, esym, & isym);

-      if (sizeof (internal_s->s_name) > SYMNMLEN)
-	{
-	  /* This case implies that the matching
-	     symbol name will be in the string table.  */
-	  abort ();
-	}
+      BFD_ASSERT (sizeof (internal_s->s_name) <= SYMNMLEN);

      if (isym.n_scnum == section->target_index)
 	{
@ -964,8 +959,12 @@ handle_COMDAT (bfd * abfd,
 	  /* All 3 branches use this.  */
 	  symname = _bfd_coff_internal_syment_name (abfd, &isym, buf);

+	  /* PR 17512 file: 078-11867-0.004  */ 
 	  if (symname == NULL)
-	    abort ();
+	    {
+	      _bfd_error_handler (_("%B: unable to load COMDAT section name"), abfd);
+	      break;
+	    }

 	  switch (seen_state)
 	    {
@ -4578,6 +4577,13 @@ coff_slurp_line_table (bfd *abfd, asection *asect)
 	  sym = ((coff_symbol_type *)
 		 ((symndx + obj_raw_syments (abfd))
 		  ->u.syment._n._n_n._n_zeroes));
+
+	  /* PR 17512 file: 078-10659-0.004  */
+	  if (sym < obj_symbols (abfd)
+	      || sym > obj_symbols (abfd)
+	      + obj_raw_syment_count (abfd) * sizeof (coff_symbol_type))
+	    sym = NULL;
+
 	  cache_ptr->u.sym = (asymbol *) sym;
 	  if (sym == NULL)
 	      continue;
@ -4599,6 +4605,7 @@ coff_slurp_line_table (bfd *abfd, asection *asect)
      cache_ptr++;
      src++;
    }
+
  cache_ptr->line_number = 0;
  bfd_release (abfd, native_lineno);

--- a/bfd/peXXigen.c
+++ b/bfd/peXXigen.c
@ -2573,6 +2573,12 @@ pe_print_debugdata (bfd * abfd, void * vfile)

  dataoff = addr - section->vma;

+  if (size > (section->size - dataoff))
+    {
+      fprintf (file, _("The debug data size field in the data directory is too big for the section"));
+      return FALSE;
+    }
+
  fprintf (file,
 	   _("Type                Size     Rva      Offset\n"));