PR25961, buffer overflow in coff_swap_aux_in
authorAlan Modra <amodra@gmail.com>
Mon, 11 May 2020 08:30:31 +0000 (18:00 +0930)
committerAlan Modra <amodra@gmail.com>
Mon, 11 May 2020 08:41:26 +0000 (18:11 +0930)
PR 25961
* coffgen.c (coff_get_normalized_symtab): Check that buffer
contains required number of auxents before processing any auxent.
* coffswap.h (coff_swap_aux_in <C_FILE>): Only swap in extended
file name from auxents for PE.

bfd/ChangeLog
bfd/coffgen.c
bfd/coffswap.h

index 19ecf8929240bfd9a06d6a02f1b5cb361147b3d8..38ff45537b18f4994c85daa98661dd707b271b41 100644 (file)
@@ -1,3 +1,11 @@
+2020-05-11  Alan Modra  <amodra@gmail.com>
+
+       PR 25961
+       * coffgen.c (coff_get_normalized_symtab): Check that buffer
+       contains required number of auxents before processing any auxent.
+       * coffswap.h (coff_swap_aux_in <C_FILE>): Only swap in extended
+       file name from auxents for PE.
+
 2020-05-04  Gunther Nikl  <gnikl@justmail.de>
 
        * aout-cris.c (DEFAULT_ARCH): Delete define.
index 6d84d512844411ac1ee7d46e00885aa92ee2bd9b..96140e0ad278d9f7559eaa3e4432bbace5c92231 100644 (file)
@@ -1818,6 +1818,13 @@ coff_get_normalized_symtab (bfd *abfd)
       symbol_ptr = internal_ptr;
       internal_ptr->is_sym = TRUE;
 
+      /* PR 17512: Prevent buffer overrun.  */
+      if (symbol_ptr->u.syment.n_numaux > (raw_end - raw_src) / symesz)
+       {
+         bfd_release (abfd, internal);
+         return NULL;
+       }
+
       for (i = 0;
           i < symbol_ptr->u.syment.n_numaux;
           i++)
@@ -1825,13 +1832,6 @@ coff_get_normalized_symtab (bfd *abfd)
          internal_ptr++;
          raw_src += symesz;
 
-         /* PR 17512: Prevent buffer overrun.  */
-         if (raw_src >= raw_end || internal_ptr >= internal_end)
-           {
-             bfd_release (abfd, internal);
-             return NULL;
-           }
-
          bfd_coff_swap_aux_in (abfd, (void *) raw_src,
                                symbol_ptr->u.syment.n_type,
                                symbol_ptr->u.syment.n_sclass,
index 7c0be221075f3668fa9d227bbd67964d363528cc..f75001e0d26b33820df4306f4f5921a62746abfc 100644 (file)
@@ -399,7 +399,7 @@ coff_swap_aux_in (bfd *abfd,
 #if FILNMLEN != E_FILNMLEN
 #error we need to cope with truncating or extending FILNMLEN
 #else
-         if (numaux > 1)
+         if (numaux > 1 && coff_data (abfd)->pe)
            {
              if (indx == 0)
                memcpy (in->x_file.x_fname, ext->x_file.x_fname,