Fix an illegal memory access triggered when trying to examine an input file containing corrupt compressed sections.

PR 25221
	* bfd.c (bfd_convert_section_contents): Check for a compress
	header size that is larger than the actual section size.
This commit is contained in:
Nick Clifton 2020-01-09 15:49:08 +00:00
parent bce58db4fb
commit b899eb3bb8
2 changed files with 20 additions and 2 deletions

View File

@ -1,3 +1,9 @@
2020-01-09 Nick Clifton <nickc@redhat.com>
PR 25221
* bfd.c (bfd_convert_section_contents): Check for a compress
header size that is larger than the actual section size.
2020-01-08 Alan Modra <amodra@gmail.com>
PR 25351

View File

@ -2768,7 +2768,7 @@ bfd_convert_section_contents (bfd *ibfd, sec_ptr isec, bfd *obfd,
|| bfd_get_flavour (obfd) != bfd_target_elf_flavour)
return TRUE;
/* Do nothing if ELF classes of input and output are the same. */
/* Do nothing if ELF classes of input and output are the same. */
if (get_elf_backend_data (ibfd)->s->elfclass
== get_elf_backend_data (obfd)->s->elfclass)
return TRUE;
@ -2782,11 +2782,17 @@ bfd_convert_section_contents (bfd *ibfd, sec_ptr isec, bfd *obfd,
if ((ibfd->flags & BFD_DECOMPRESS))
return TRUE;
/* Do nothing if the input section isn't a SHF_COMPRESSED section. */
/* Do nothing if the input section isn't a SHF_COMPRESSED section. */
ihdr_size = bfd_get_compression_header_size (ibfd, isec);
if (ihdr_size == 0)
return TRUE;
/* PR 25221. Check for corrupt input sections. */
if (ihdr_size > bfd_get_section_limit (ibfd, isec))
/* FIXME: Issue a warning about a corrupt
compression header size field ? */
return FALSE;
contents = *ptr;
/* Convert the contents of the input SHF_COMPRESSED section to
@ -2803,6 +2809,12 @@ bfd_convert_section_contents (bfd *ibfd, sec_ptr isec, bfd *obfd,
use_memmove = FALSE;
}
else if (ihdr_size != sizeof (Elf64_External_Chdr))
{
/* FIXME: Issue a warning about a corrupt
compression header size field ? */
return FALSE;
}
else
{
Elf64_External_Chdr *echdr = (Elf64_External_Chdr *) contents;