Fix a memory exhaustion bug when attempting to allocate room for an impossible number...

	* elfcode.h (elf_object_p): Check for corrupt input files with
	more program headers than can actually fit in the file.

diff --git a/bfd/ChangeLog b/bfd/ChangeLog
index 6ea483597df0454d6154b68fcb37223f6b04030e..f99b0854e70f05016d611bec6701106ba6e2e53a 100644 (file)
--- a/bfd/ChangeLog
+++ b/bfd/ChangeLog
@@ -1,3 +1,8 @@
+2018-11-30  Nick Clifton  <nickc@redhat.com>
+
+       * elfcode.h (elf_object_p): Check for corrupt input files with
+       more program headers than can actually fit in the file.
+
 2018-11-30  Nick Clifton  <nickc@redhat.com>
 
        PR 23932

diff --git a/bfd/elfcode.h b/bfd/elfcode.h
index f224c8b79d2fb0516a90c1a8ad818d11a1a971a5..16ed8e5bb4da61c087f5d29ab59ec7a0301ba661 100644 (file)
--- a/bfd/elfcode.h
+++ b/bfd/elfcode.h
@@ -784,6 +784,11 @@ elf_object_p (bfd *abfd)
       if (i_ehdrp->e_phnum > ((bfd_size_type) -1) / sizeof (*i_phdr))
        goto got_wrong_format_error;
 #endif
+      /* Check for a corrupt input file with an impossibly large number
+        of program headers.  */
+      if (bfd_get_file_size (abfd) > 0
+         && i_ehdrp->e_phnum > bfd_get_file_size (abfd))
+       goto got_no_match;
       amt = (bfd_size_type) i_ehdrp->e_phnum * sizeof (*i_phdr);
       elf_tdata (abfd)->phdr = (Elf_Internal_Phdr *) bfd_alloc (abfd, amt);
       if (elf_tdata (abfd)->phdr == NULL)