PR27459, segmentation fault in go32exe_check_format

author Alan Modra <amodra@gmail.com>

Wed, 24 Feb 2021 00:22:47 +0000 (10:52 +1030)

committer Alan Modra <amodra@gmail.com>

Wed, 24 Feb 2021 00:25:36 +0000 (10:55 +1030)
author Alan Modra <amodra@gmail.com>
Wed, 24 Feb 2021 00:22:47 +0000 (10:52 +1030)
committer Alan Modra <amodra@gmail.com>
Wed, 24 Feb 2021 00:25:36 +0000 (10:55 +1030)
diff --git a/bfd/ChangeLog b/bfd/ChangeLog

index 7a41a149aec6d93e6df96056ea684c01856aa331..52d9bf26008b96308a6a6bc23f4dde19f7bd9290 100644 (file)
--- a/bfd/ChangeLog
+++ b/bfd/ChangeLog
@@ -1,3 +1,9 @@
+2021-02-24  Alan Modra  <amodra@gmail.com>
+
+       PR 27459
+       * coff-stgo32.c (go32exe_check_format): Sanity check size of
+       header to avoid a buffer overflow.
+
  2021-02-22  Alan Modra  <amodra@gmail.com>
  
         * coff-rs6000.c (_bfd_xcoff_reloc_type_lookup): Remove BFD_RELOC_16.
diff --git a/bfd/coff-stgo32.c b/bfd/coff-stgo32.c

index 7ae94197723f1e7ee35a35a77f28837d8835814b..7593b62e8e69a1664720c7eb05acba07b35d3187 100644 (file)
--- a/bfd/coff-stgo32.c
+++ b/bfd/coff-stgo32.c
@@ -304,7 +304,9 @@ go32exe_check_format (bfd *abfd)
  
    /* Confirm that this is a go32stub.  */
    header_end = H_GET_16 (abfd, filehdr_dos.e_cparhdr) * 16UL;
-  if (! CONST_STRNEQ (go32exe_temp_stub + header_end, "go32stub"))
+  if (go32exe_temp_stub_size < header_end
+      || go32exe_temp_stub_size - header_end < sizeof "go32stub" - 1
+      || !CONST_STRNEQ (go32exe_temp_stub + header_end, "go32stub"))
      goto fail_format;
  
    /* Set origin to where the COFF header starts and seek there.  */
author	Alan Modra <amodra@gmail.com>
	Wed, 24 Feb 2021 00:22:47 +0000 (10:52 +1030)
committer	Alan Modra <amodra@gmail.com>
	Wed, 24 Feb 2021 00:25:36 +0000 (10:55 +1030)
bfd/ChangeLog		patch \| blob \| history
bfd/coff-stgo32.c		patch \| blob \| history