Fix a seg-fault in strings and other binutuils when parsing a corrupt PE

executable with an invalid value in the NumberOfRvaAndSizes field of the
AOUT header.

	PR binutils/17512
	* peXXigen.c (_bfd_XXi_swap_aouthdr_in): Handle corrupt binaries
	with an invalid value for NumberOfRvaAndSizes.

diff --git a/bfd/ChangeLog b/bfd/ChangeLog
index 7ba4431112bcdb6dbd47ff1b7706602a88ba7267..e1d9379bef868befaee2a5f30772c7a017394469 100644 (file)
--- a/bfd/ChangeLog
+++ b/bfd/ChangeLog
@@ -1,5 +1,9 @@
 2014-10-27  Nick Clifton  <nickc@redhat.com>
 
+       PR binutils/17512
+       * peXXigen.c (_bfd_XXi_swap_aouthdr_in): Handle corrupt binaries
+       with an invalid value for NumberOfRvaAndSizes.
+
        PR binutils/17510
        * elf.c (setup_group): Improve handling of corrupt group
        sections.

diff --git a/bfd/peXXigen.c b/bfd/peXXigen.c
index 2fb631c5a7687ce634f866116f5592e0a16621f7..987be407737415bf0a2148989c6c02aaf3bc60ab 100644 (file)
--- a/bfd/peXXigen.c
+++ b/bfd/peXXigen.c
@@ -504,6 +504,18 @@ _bfd_XXi_swap_aouthdr_in (bfd * abfd,
   {
     int idx;
 
+    /* PR 17512: Corrupt PE binaries can cause seg-faults.  */
+    if (a->NumberOfRvaAndSizes > 16)
+      {
+       (*_bfd_error_handler)
+         (_("%B: aout header specifies an invalid number of data-directory entries: %d"),
+          abfd, a->NumberOfRvaAndSizes);
+       /* Paranoia: If the number is corrupt, then assume that the
+          actual entries themselves might be corrupt as well.  */
+       a->NumberOfRvaAndSizes = 0;
+      }
+
+
     for (idx = 0; idx < a->NumberOfRvaAndSizes; idx++)
       {
         /* If data directory is empty, rva also should be 0.  */