From 0bb6961f18b8e832d88b490d421ca56cea16c45b Mon Sep 17 00:00:00 2001 From: Nick Clifton Date: Tue, 31 Oct 2017 14:29:40 +0000 Subject: [PATCH] Fix illegal memory access triggered when parsing a PE binary with a corrupt data dictionary. PR 22373 * peicode.h (pe_bfd_read_buildid): Check for invalid size and data offset values. --- bfd/ChangeLog | 6 ++++++ bfd/peicode.h | 9 ++++++--- 2 files changed, 12 insertions(+), 3 deletions(-) diff --git a/bfd/ChangeLog b/bfd/ChangeLog index d6de8d59b0f..a28769abf50 100644 --- a/bfd/ChangeLog +++ b/bfd/ChangeLog @@ -1,3 +1,9 @@ +2017-10-31 Nick Clifton + + PR 22373 + * peicode.h (pe_bfd_read_buildid): Check for invalid size and data + offset values. + 2017-10-30 Alan Modra * elf32-frv.c (ELF_TARGET_ID): Don't define for generic diff --git a/bfd/peicode.h b/bfd/peicode.h index 2dffb12072b..f3b759cce88 100644 --- a/bfd/peicode.h +++ b/bfd/peicode.h @@ -1303,7 +1303,6 @@ pe_bfd_read_buildid (bfd *abfd) bfd_byte *data = 0; bfd_size_type dataoff; unsigned int i; - bfd_vma addr = extra->DataDirectory[PE_DEBUG_DATA].VirtualAddress; bfd_size_type size = extra->DataDirectory[PE_DEBUG_DATA].Size; @@ -1327,8 +1326,12 @@ pe_bfd_read_buildid (bfd *abfd) dataoff = addr - section->vma; - /* PR 20605: Make sure that the data is really there. */ - if (dataoff + size > section->size) + /* PR 20605 and 22373: Make sure that the data is really there. + Note - since we are dealing with unsigned quantities we have + to be careful to check for potential overflows. */ + if (dataoff > section->size + || size > section->size + || dataoff + size > section->size) { _bfd_error_handler (_("%B: Error: Debug Data ends beyond end of debug directory."), abfd); -- 2.30.2