offset = i_shdrp[shindex]->sh_offset;
shstrtabsize = i_shdrp[shindex]->sh_size;
+ /* PR binutils/17512: Do not even try to load
+ a string table bigger than the entire file... */
+ if (shstrtabsize >= (bfd_size_type) bfd_get_size (abfd))
+ return NULL;
+
/* Allocate and clear an extra byte at the end, to prevent crashes
in case the string table is not terminated. */
if (shstrtabsize + 1 <= 1
+2014-10-31 Nick Clifton <nickc@redhat.com>
+
+ PR binutils/17512
+ * readelf.c (process_program_headers): Avoid memory exhaustion due
+ to corrupt values in a dynamis segment header.
+ (get_32bit_elf_symbols): Do not attempt to read an over-large
+ section.
+ (get_64bit_elf_symbols): Likewise.
+
2014-10-31 Nick Clifton <nickc@redhat.com>
* strings.c: Add new command line option --data to only scan the
char * program_name = "readelf";
static long archive_file_offset;
static unsigned long archive_file_size;
+static bfd_size_type current_file_size;
static unsigned long dynamic_addr;
static bfd_size_type dynamic_size;
static unsigned int dynamic_nent;
}
}
+ if (do_segments)
+ putc ('\n', stdout);
+
switch (segment->p_type)
{
case PT_DYNAMIC:
section in the DYNAMIC segment. */
dynamic_addr = segment->p_offset;
dynamic_size = segment->p_filesz;
+ /* PR binutils/17512: Avoid corrupt dynamic section info in the segment. */
+ if (dynamic_addr + dynamic_size >= current_file_size)
+ {
+ error (_("the dynamic segment offset + size exceeds the size of the file\n"));
+ dynamic_addr = dynamic_size = 0;
+ }
/* Try to locate the .dynamic section. If there is
a section header table, we can easily locate it. */
error (_("Unable to read program interpreter name\n"));
if (do_segments)
- printf (_("\n [Requesting program interpreter: %s]"),
+ printf (_(" [Requesting program interpreter: %s]\n"),
program_interpreter);
}
break;
}
-
- if (do_segments)
- putc ('\n', stdout);
}
if (do_segments && section_headers != NULL && string_table != NULL)
goto exit_point;
}
+ if (section->sh_size > current_file_size)
+ {
+ error (_("Section %s has an invalid sh_size of 0x%lx\n"),
+ SECTION_NAME (section), section->sh_size);
+ goto exit_point;
+ }
+
number = section->sh_size / section->sh_entsize;
if (number * sizeof (Elf32_External_Sym) > section->sh_size + 1)
goto exit_point;
}
+ if (section->sh_size > current_file_size)
+ {
+ error (_("Section %s has an invalid sh_size of 0x%lx\n"),
+ SECTION_NAME (section), section->sh_size);
+ goto exit_point;
+ }
+
number = section->sh_size / section->sh_entsize;
if (number * sizeof (Elf64_External_Sym) > section->sh_size + 1)
return 1;
}
+ current_file_size = (bfd_size_type) statbuf.st_size;
+
if (memcmp (armag, ARMAG, SARMAG) == 0)
ret = process_archive (file_name, file, FALSE);
else if (memcmp (armag, ARMAGT, SARMAG) == 0)
fclose (file);
+ current_file_size = 0;
return ret;
}
projects / binutils-gdb.git / commitdiff