From: Nick Clifton <nickc@redhat.com>
Date: Tue, 19 Mar 2019 13:39:30 +0000 (+0000)
Subject: Prevent an illegal memory access by objdump when parsing a corrupt file on a 32-bit... 
X-Git-Url: https://git.libre-soc.org/?a=commitdiff_plain;h=634557801d909982b47b1723f4216ebe8bc784aa;p=binutils-gdb.git

Prevent an illegal memory access by objdump when parsing a corrupt file on a 32-bit host.

	PR 24360
	* objdump.c (load_specific_debug_section): Check that the amount
	of memory to be allocated matches the size of the section.
---

diff --git a/binutils/ChangeLog b/binutils/ChangeLog
index 95ea5556efa..6fa4bf48e45 100644
--- a/binutils/ChangeLog
+++ b/binutils/ChangeLog
@@ -1,3 +1,9 @@
+2019-03-19  Nick Clifton  <nickc@redhat.com>
+
+	PR 24360
+	* objdump.c (load_specific_debug_section): Check that the amount
+	of memory to be allocated matches the size of the section.
+
 2019-03-13  Sudakshina Das  <sudi.das@arm.com>
 
 	* readelf.c (get_aarch64_dynamic_type): Add case for
diff --git a/binutils/objdump.c b/binutils/objdump.c
index 3ef2716b198..79aed757ae8 100644
--- a/binutils/objdump.c
+++ b/binutils/objdump.c
@@ -382,10 +382,10 @@ nonfatal (const char *msg)
 static const char *
 sanitize_string (const char * in)
 {
-  static char *        buffer = NULL;
-  static unsigned int  buffer_len = 0;
-  const char *         original = in;
-  char *               out;
+  static char *  buffer = NULL;
+  static size_t  buffer_len = 0;
+  const char *   original = in;
+  char *         out;
 
   /* Paranoia.  */
   if (in == NULL)
@@ -2679,6 +2679,7 @@ load_specific_debug_section (enum dwarf_section_display_enum debug,
   bfd *abfd = (bfd *) file;
   bfd_byte *contents;
   bfd_size_type amt;
+  size_t alloced;
 
   if (section->start != NULL)
     {
@@ -2694,8 +2695,9 @@ load_specific_debug_section (enum dwarf_section_display_enum debug,
   section->address = bfd_get_section_vma (abfd, sec);
   section->user_data = sec;
   section->size = bfd_get_section_size (sec);
-  amt = section->size + 1;
-  if (amt == 0)
+  /* PR 24360: On 32-bit hosts sizeof (size_t) < sizeof (bfd_size_type). */
+  alloced = amt = section->size + 1;
+  if (alloced != amt || alloced == 0)
     {
       section->start = NULL;
       free_debug_section (debug);
@@ -2704,7 +2706,7 @@ load_specific_debug_section (enum dwarf_section_display_enum debug,
 	      (unsigned long long) section->size);
       return FALSE;
     }
-  section->start = contents = malloc (amt);
+  section->start = contents = malloc (alloced);
   if (section->start == NULL
       || !bfd_get_full_section_contents (abfd, sec, &contents))
     {