Prevent a buffer overrun error when attempting to parse a corrupt ELF file.

	PR 24273
	* elf.c (bfd_elf_string_from_elf_section): Check for a string
	section that is not NUL terminated.

diff --git a/bfd/ChangeLog b/bfd/ChangeLog
index f0aec1f655617debb7cef03e04a0b14674771360..100c453eae7cd1c2710432fe1ae4d4f23b36da03 100644 (file)
--- a/bfd/ChangeLog
+++ b/bfd/ChangeLog
@@ -1,3 +1,9 @@
+2019-02-28  Nick Clifton  <nickc@redhat.com>
+
+       PR 24273
+       * elf.c (bfd_elf_string_from_elf_section): Check for a string
+       section that is not NUL terminated.
+
 2019-02-27  H.J. Lu  <hongjiu.lu@intel.com>
 
        PR ld/24276

diff --git a/bfd/elf.c b/bfd/elf.c
index f16acaa08d8e24af9af069efcdcb244b2c19c734..852b966efbe7ed9b2d246ab1e04676c2b90d3f63 100644 (file)
--- a/bfd/elf.c
+++ b/bfd/elf.c
@@ -351,6 +351,16 @@ bfd_elf_string_from_elf_section (bfd *abfd,
       if (bfd_elf_get_str_section (abfd, shindex) == NULL)
        return NULL;
     }
+  else
+    {
+      /* PR 24273: The string section's contents may have already
+        been loaded elsewhere, eg because a corrupt file has the
+        string section index in the ELF header pointing at a group
+        section.  So be paranoid, and test that the last byte of
+        the section is zero.  */
+      if (hdr->sh_size == 0 || hdr->contents[hdr->sh_size - 1] != 0)
+       return NULL;
+    }
 
   if (strindex >= hdr->sh_size)
     {
@@ -655,7 +665,7 @@ setup_group (bfd *abfd, Elf_Internal_Shdr *hdr, asection *newsect)
                  BFD_ASSERT (sizeof (*dest) >= 4);
                  amt = shdr->sh_size * sizeof (*dest) / 4;
                  shdr->contents = (unsigned char *)
-                     bfd_alloc2 (abfd, shdr->sh_size, sizeof (*dest) / 4);
+                   bfd_alloc2 (abfd, shdr->sh_size, sizeof (*dest) / 4);
                  /* PR binutils/4110: Handle corrupt group headers.  */
                  if (shdr->contents == NULL)
                    {