* srec.c (srec_get_section_contents): Return immediately on

count zero. Check that offset and count are within section. * libbfd.c (_bfd_generic_get_section_contents): Check that offset + count does not overflow.
2007-07-26 12:34:43 +00:00 · 2007-07-26 12:34:43 +00:00 · e62071b60e
parent b9da616afe
commit e62071b60e
3 changed files with 18 additions and 2 deletions
--- a/bfd/ChangeLog
+++ b/bfd/ChangeLog
@ -1,5 +1,10 @@
 2007-07-26  Alan Modra  <amodra@bigpond.net.au>

+	* srec.c (srec_get_section_contents): Return immediately on
+	count zero.  Check that offset and count are within section.
+	* libbfd.c (_bfd_generic_get_section_contents): Check that
+	offset + count does not overflow.
+
 	* srec.c (srec_canonicalize_symtab): Don't alloc when symcount
 	is zero.  Correct return value on error.
 	* mmo.c (mmo_canonicalize_symtab): Likewise.
--- a/bfd/libbfd.c
+++ b/bfd/libbfd.c
@ -820,7 +820,8 @@ _bfd_generic_get_section_contents (bfd *abfd,
    return TRUE;

  sz = section->rawsize ? section->rawsize : section->size;
-  if (offset + count > sz)
+  if (offset + count < count
+      || offset + count > sz)
    {
      bfd_set_error (bfd_error_invalid_operation);
      return FALSE;
--- a/bfd/srec.c
+++ b/bfd/srec.c
@ -781,10 +781,20 @@ srec_get_section_contents (bfd *abfd,
 			   file_ptr offset,
 			   bfd_size_type count)
 {
+  if (count == 0)
+    return TRUE;
+
+  if (offset + count < count
+      || offset + count > section->size)
+    {
+      bfd_set_error (bfd_error_invalid_operation);
+      return FALSE;
+    }
+
  if (section->used_by_bfd == NULL)
    {
      section->used_by_bfd = bfd_alloc (abfd, section->size);
-      if (section->used_by_bfd == NULL && section->size != 0)
+      if (section->used_by_bfd == NULL)
 	return FALSE;

      if (! srec_read_section (abfd, section, section->used_by_bfd))