Fix an illegal memory access triggered when trying to examine an input file containing corrupt compressed sections.
PR 25221 * bfd.c (bfd_convert_section_contents): Check for a compress header size that is larger than the actual section size.
This commit is contained in:
parent
bce58db4fb
commit
b899eb3bb8
@ -1,3 +1,9 @@
|
||||
2020-01-09 Nick Clifton <nickc@redhat.com>
|
||||
|
||||
PR 25221
|
||||
* bfd.c (bfd_convert_section_contents): Check for a compress
|
||||
header size that is larger than the actual section size.
|
||||
|
||||
2020-01-08 Alan Modra <amodra@gmail.com>
|
||||
|
||||
PR 25351
|
||||
|
16
bfd/bfd.c
16
bfd/bfd.c
@ -2768,7 +2768,7 @@ bfd_convert_section_contents (bfd *ibfd, sec_ptr isec, bfd *obfd,
|
||||
|| bfd_get_flavour (obfd) != bfd_target_elf_flavour)
|
||||
return TRUE;
|
||||
|
||||
/* Do nothing if ELF classes of input and output are the same. */
|
||||
/* Do nothing if ELF classes of input and output are the same. */
|
||||
if (get_elf_backend_data (ibfd)->s->elfclass
|
||||
== get_elf_backend_data (obfd)->s->elfclass)
|
||||
return TRUE;
|
||||
@ -2782,11 +2782,17 @@ bfd_convert_section_contents (bfd *ibfd, sec_ptr isec, bfd *obfd,
|
||||
if ((ibfd->flags & BFD_DECOMPRESS))
|
||||
return TRUE;
|
||||
|
||||
/* Do nothing if the input section isn't a SHF_COMPRESSED section. */
|
||||
/* Do nothing if the input section isn't a SHF_COMPRESSED section. */
|
||||
ihdr_size = bfd_get_compression_header_size (ibfd, isec);
|
||||
if (ihdr_size == 0)
|
||||
return TRUE;
|
||||
|
||||
/* PR 25221. Check for corrupt input sections. */
|
||||
if (ihdr_size > bfd_get_section_limit (ibfd, isec))
|
||||
/* FIXME: Issue a warning about a corrupt
|
||||
compression header size field ? */
|
||||
return FALSE;
|
||||
|
||||
contents = *ptr;
|
||||
|
||||
/* Convert the contents of the input SHF_COMPRESSED section to
|
||||
@ -2803,6 +2809,12 @@ bfd_convert_section_contents (bfd *ibfd, sec_ptr isec, bfd *obfd,
|
||||
|
||||
use_memmove = FALSE;
|
||||
}
|
||||
else if (ihdr_size != sizeof (Elf64_External_Chdr))
|
||||
{
|
||||
/* FIXME: Issue a warning about a corrupt
|
||||
compression header size field ? */
|
||||
return FALSE;
|
||||
}
|
||||
else
|
||||
{
|
||||
Elf64_External_Chdr *echdr = (Elf64_External_Chdr *) contents;
|
||||
|
Loading…
Reference in New Issue
Block a user