espressif/binutils-gdb
1
0
Fork 0
mirror of https://github.com/espressif/binutils-gdb.git synced 2025-06-20 18:08:24 +08:00
Code Issues Packages Projects Releases Wiki Activity

_bfd_elf_slurp_secondary_reloc_section sanity check

Browse Source 
* elf.c (_bfd_elf_slurp_secondary_reloc_section): Sanity check
	section header against file size.  Avoid overflow in
	reloc_count.
This commit is contained in:
Alan Modra
2022-12-07 13:49:49 +10:30
parent 16fce1bddb
commit 285b1d3324
1 changed files with 14 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

17
bfd/elf.c
View File

@ -13154,6 +13154,7 @@ _bfd_elf_slurp_secondary_reloc_section (bfd * abfd,
asection * relsec; asection * relsec;
bool result = true; bool result = true;
bfd_vma (*r_sym) (bfd_vma); bfd_vma (*r_sym) (bfd_vma);
ufile_ptr filesize;
#if BFD_DEFAULT_TARGET_SIZE > 32 #if BFD_DEFAULT_TARGET_SIZE > 32
if (bfd_arch_bits_per_address (abfd) != 32) if (bfd_arch_bits_per_address (abfd) != 32)
@ -13167,6 +13168,7 @@ _bfd_elf_slurp_secondary_reloc_section (bfd * abfd,
/* Discover if there are any secondary reloc sections /* Discover if there are any secondary reloc sections
associated with SEC. */ associated with SEC. */
filesize = bfd_get_file_size (abfd);
for (relsec = abfd->sections; relsec != NULL; relsec = relsec->next) for (relsec = abfd->sections; relsec != NULL; relsec = relsec->next)
{ {
Elf_Internal_Shdr * hdr = & elf_section_data (relsec)->this_hdr; Elf_Internal_Shdr * hdr = & elf_section_data (relsec)->this_hdr;
@ -13180,10 +13182,10 @@ _bfd_elf_slurp_secondary_reloc_section (bfd * abfd,
bfd_byte * native_reloc; bfd_byte * native_reloc;
arelent * internal_relocs; arelent * internal_relocs;
arelent * internal_reloc; arelent * internal_reloc;
unsigned int i; size_t i;
unsigned int entsize; unsigned int entsize;
unsigned int symcount; unsigned int symcount;
unsigned int reloc_count; bfd_size_type reloc_count;
size_t amt; size_t amt;
if (ebd->elf_info_to_howto == NULL) if (ebd->elf_info_to_howto == NULL)
@ -13195,6 +13197,15 @@ _bfd_elf_slurp_secondary_reloc_section (bfd * abfd,
#endif #endif
entsize = hdr->sh_entsize; entsize = hdr->sh_entsize;
if (filesize != 0
&& ((ufile_ptr) hdr->sh_offset > filesize
|| hdr->sh_size > filesize - hdr->sh_offset))
{
bfd_set_error (bfd_error_file_truncated);
result = false;
continue;
}
native_relocs = bfd_malloc (hdr->sh_size); native_relocs = bfd_malloc (hdr->sh_size);
if (native_relocs == NULL) if (native_relocs == NULL)
{ {
@ -13268,7 +13279,7 @@ _bfd_elf_slurp_secondary_reloc_section (bfd * abfd,
{ {
_bfd_error_handler _bfd_error_handler
/* xgettext:c-format */ /* xgettext:c-format */
(_("%pB(%pA): relocation %d has invalid symbol index %ld"), (_("%pB(%pA): relocation %zu has invalid symbol index %lu"),
abfd, sec, i, (long) r_sym (rela.r_info)); abfd, sec, i, (long) r_sym (rela.r_info));
bfd_set_error (bfd_error_bad_value); bfd_set_error (bfd_error_bad_value);
internal_reloc->sym_ptr_ptr = internal_reloc->sym_ptr_ptr =