From beab453223769279cc1cef68a1622ab8978641f7 Mon Sep 17 00:00:00 2001 From: Nick Clifton Date: Fri, 30 Nov 2018 11:43:12 +0000 Subject: [PATCH] Remove an abort in the bfd library and add a check for an integer overflow when mapping sections to segments. PR 23932 * elf.c (IS_CONTAINED_BY_LMA): Add a check for a negative section size. (rewrite_elf_program_header): If no sections are mapped into a segment return an error. --- bfd/ChangeLog | 8 ++++++++ bfd/elf.c | 11 ++++++++++- 2 files changed, 18 insertions(+), 1 deletion(-) diff --git a/bfd/ChangeLog b/bfd/ChangeLog index 8f455ae15f..6ea483597d 100644 --- a/bfd/ChangeLog +++ b/bfd/ChangeLog @@ -1,3 +1,11 @@ +2018-11-30 Nick Clifton + + PR 23932 + * elf.c (IS_CONTAINED_BY_LMA): Add a check for a negative section + size. + (rewrite_elf_program_header): If no sections are mapped into a + segment return an error. + 2018-11-30 Alan Modra PR 23937 diff --git a/bfd/elf.c b/bfd/elf.c index 604971dd4c..79a76bea2f 100644 --- a/bfd/elf.c +++ b/bfd/elf.c @@ -6644,6 +6644,7 @@ rewrite_elf_program_header (bfd *ibfd, bfd *obfd) the given segment. LMA addresses are compared. */ #define IS_CONTAINED_BY_LMA(section, segment, base) \ (section->lma >= base \ + && (section->lma + SECTION_SIZE (section, segment) >= section->lma) \ && (section->lma + SECTION_SIZE (section, segment) \ <= SEGMENT_END (segment, base))) @@ -7167,7 +7168,15 @@ rewrite_elf_program_header (bfd *ibfd, bfd *obfd) suggested_lma = output_section; } - BFD_ASSERT (map->count > 0); + /* PR 23932. A corrupt input file may contain sections that cannot + be assigned to any segment - because for example they have a + negative size - or segments that do not contain any sections. */ + if (map->count == 0) + { + bfd_set_error (bfd_error_bad_value); + free (sections); + return FALSE; + } /* Add the current segment to the list of built segments. */ *pointer_to_map = map;