PR22769, crash when running 32-bit objdump on corrupted file

	PR 22769
	* objdump.c (load_specific_debug_section): Check for overflow
	when adding one to section size for a string section terminator.

diff --git a/binutils/ChangeLog b/binutils/ChangeLog
index a492487c25780a3bdc706bfd3516d5f51a6236c3..5f472735a5fbe6f1235692905f0d99728e3425de 100644 (file)
--- a/binutils/ChangeLog
+++ b/binutils/ChangeLog
@@ -1,3 +1,9 @@
+2018-02-01  Alan Modra  <amodra@gmail.com>
+
+       PR 22769
+       * objdump.c (load_specific_debug_section): Check for overflow
+       when adding one to section size for a string section terminator.
+
 2018-01-30  Nick Clifton  <nickc@redhat.com>
 
        PR 22734

diff --git a/binutils/objdump.c b/binutils/objdump.c
index 6c4d936b266a29a2cab7292978ec8f725b4cf1aa..d8dca90f40c87c9bfd437c374f123ba5625a5b1d 100644 (file)
--- a/binutils/objdump.c
+++ b/binutils/objdump.c
@@ -2466,6 +2466,7 @@ load_specific_debug_section (enum dwarf_section_display_enum debug,
   struct dwarf_section *section = &debug_displays [debug].section;
   bfd *abfd = (bfd *) file;
   bfd_byte *contents;
+  bfd_size_type amt;
 
   if (section->start != NULL)
     {
@@ -2480,9 +2481,11 @@ load_specific_debug_section (enum dwarf_section_display_enum debug,
   section->num_relocs = 0;
   section->address = bfd_get_section_vma (abfd, sec);
   section->size = bfd_get_section_size (sec);
-  section->start = contents = malloc (section->size + 1);
+  amt = section->size + 1;
+  section->start = contents = malloc (amt);
   section->user_data = sec;
-  if (section->start == NULL
+  if (amt == 0
+      || section->start == NULL
       || !bfd_get_full_section_contents (abfd, sec, &contents))
     {
       free_debug_section (debug);