nm: heap-buffer-overflow at elfcode.h:1507 in bfd_elf64_slurp_symbol_table

  PR 30885
  * elfcode.h (elf_slurp_symbol_table): Compute the symcount for non dynamic symbols in the same way as _bfd_elf_get_symtab_upper_bound.

diff --git a/bfd/ChangeLog b/bfd/ChangeLog
index 4b0544a2ac9f9feac0c8732da911a9259b3578eb..2eee20fae0cd582c53a40a22529124137be2abf8 100644 (file)
--- a/bfd/ChangeLog
+++ b/bfd/ChangeLog
@@ -1,3 +1,9 @@
+2023-09-27  Nick Clifton  <nickc@redhat.com>
+
+       PR 30885
+       * elfcode.h (elf_slurp_symbol_table): Compute the symcount for non
+       dynamic symbols in the same way as _bfd_elf_get_symtab_upper_bound.
+
 2023-09-13  Jacob Navia  <jacob@jacob.remcomp.fr>
 
        * elf.c (_bfd_elf_init_reloc_shdr): Don't segfault on alloc fail.

diff --git a/bfd/elfcode.h b/bfd/elfcode.h
index 92e727b73e7944bc18ba6b4ac309c4b9154613cb..ab8c3eaaf4c6f152e1134a1a4a32e11742ef46b3 100644 (file)
--- a/bfd/elfcode.h
+++ b/bfd/elfcode.h
@@ -1255,11 +1255,13 @@ elf_slurp_symbol_table (bfd *abfd, asymbol **symptrs, bool dynamic)
      symbols.  We actually use all the ELF symbols, so there will be no
      space left over at the end.  When we have all the symbols, we
      build the caller's pointer vector.  */
+  ebd = get_elf_backend_data (abfd);
 
   if (! dynamic)
     {
       hdr = &elf_tdata (abfd)->symtab_hdr;
       verhdr = NULL;
+      symcount = hdr->sh_size / ebd->s->sizeof_sym;
     }
   else
     {
@@ -1278,12 +1280,13 @@ elf_slurp_symbol_table (bfd *abfd, asymbol **symptrs, bool dynamic)
          if (!_bfd_elf_slurp_version_tables (abfd, false))
            return -1;
        }
+
+      symcount = elf_tdata (abfd)->dt_symtab_count;
     }
 
-  ebd = get_elf_backend_data (abfd);
-  symcount = elf_tdata (abfd)->dt_symtab_count;
   if (symcount == 0)
     symcount = hdr->sh_size / sizeof (Elf_External_Sym);
+
   if (symcount == 0)
     sym = symbase = NULL;
   else