Fix an illegal memory access when copying a PE format file with corrupt debug information.

PR 23110 * peXXigen.c (_bfd_XX_bfd_copy_private_bfd_data_common): Check for a negative PE_DEBUG_DATA size before iterating over the debug data.
2018-04-24 16:31:27 +01:00 · 2018-04-24 16:31:27 +01:00 · aa4a8c2a2a
parent 0a8ddac418
commit aa4a8c2a2a
3 changed files with 2889 additions and 3211 deletions
--- a/bfd/ChangeLog
+++ b/bfd/ChangeLog
@ -1,3 +1,9 @@
+2018-04-24  Nick Clifton  <nickc@redhat.com>
+
+	PR 23110
+	* peXXigen.c (_bfd_XX_bfd_copy_private_bfd_data_common): Check for
+	a negative PE_DEBUG_DATA size before iterating over the debug data.
+
 2018-04-23  Alan Modra  <amodra@gmail.com>

 	* elf-linux-core.h: Revert last change.
--- a/bfd/peXXigen.c
+++ b/bfd/peXXigen.c
@ -2993,6 +2993,15 @@ _bfd_XX_bfd_copy_private_bfd_data_common (bfd * ibfd, bfd * obfd)
 		 (uint64_t) (section->size - (addr - section->vma)));
 	      return FALSE;
 	    }
+	  /* PR 23110.  */
+	  else if (ope->pe_opthdr.DataDirectory[PE_DEBUG_DATA].Size < 0)
+	    {
+	      /* xgettext:c-format */
+	      _bfd_error_handler
+		(_("%pB: Data Directory size (%#lx) is negative"),
+		 obfd, ope->pe_opthdr.DataDirectory[PE_DEBUG_DATA].Size);
+	      return FALSE;
+	    }

 	  for (i = 0; i < ope->pe_opthdr.DataDirectory[PE_DEBUG_DATA].Size
 		 / sizeof (struct external_IMAGE_DEBUG_DIRECTORY); i++)
--- a/bfd/po/bfd.pot
+++ b/bfd/po/bfd.pot