From 768d1d879be2d134e049521f28d4d5e03b69bafc Mon Sep 17 00:00:00 2001 From: Tristan Gingold Date: Wed, 31 May 2023 11:20:55 +0100 Subject: [PATCH] pe/coff - add support for base64 encoded long section names PR 30444 * coffcode.h (coff_write_object_contents): Handle base64 encoding on PE. Also check for too large string table. * coffgen.c (extract_long_section_name): New function extracted from ... (make_a_section_from_file): ... here. Add support for base64 long section names. (decode_base64): New function. --- bfd/ChangeLog | 11 +++++ bfd/coffcode.h | 59 ++++++++++++++++++++------ bfd/coffgen.c | 113 +++++++++++++++++++++++++++++++++++++++++-------- 3 files changed, 152 insertions(+), 31 deletions(-) diff --git a/bfd/ChangeLog b/bfd/ChangeLog index 76d8a954ae3..2b466f794a8 100644 --- a/bfd/ChangeLog +++ b/bfd/ChangeLog @@ -1,3 +1,14 @@ +2023-05-31 Tristan Gingold + + PR 30444 + * coffcode.h (coff_write_object_contents): Handle base64 encoding + on PE. Also check for too large string table. + * coffgen.c (extract_long_section_name): New function extracted + from ... + (make_a_section_from_file): ... here. Add support for base64 + long section names. + (decode_base64): New function. + 2023-05-17 Luca Bacci PR 30421 diff --git a/bfd/coffcode.h b/bfd/coffcode.h index e52d652616e..47562713938 100644 --- a/bfd/coffcode.h +++ b/bfd/coffcode.h @@ -3568,18 +3568,55 @@ coff_write_object_contents (bfd * abfd) len = strlen (current->name); if (len > SCNNMLEN) { - /* The s_name field is defined to be NUL-padded but need not be - NUL-terminated. We use a temporary buffer so that we can still - sprintf all eight chars without splatting a terminating NUL - over the first byte of the following member (s_paddr). */ - /* PR 21096: The +20 is to stop a bogus warning from gcc7 about - a possible buffer overflow. */ - char s_name_buf[SCNNMLEN + 1 + 20]; /* An inherent limitation of the /nnnnnnn notation used to indicate the offset of the long name in the string table is that we cannot address entries beyone the ten million byte boundary. */ - if (string_size >= 10000000) + if (string_size < 10000000) + { + /* The s_name field is defined to be NUL-padded but need not + be NUL-terminated. We use a temporary buffer so that we + can still sprintf all eight chars without splatting a + terminating NUL over the first byte of the following + member (s_paddr). */ + /* PR 21096: The +20 is to stop a bogus warning from gcc7 + about a possible buffer overflow. */ + char s_name_buf[SCNNMLEN + 1 + 20]; + + /* We do not need to use snprintf here as we have already + verified that string_size is not too big, plus we have + an overlarge buffer, just in case. */ + sprintf (s_name_buf, "/%lu", (unsigned long) string_size); + /* Then strncpy takes care of any padding for us. */ + strncpy (section.s_name, s_name_buf, SCNNMLEN); + } + else +#ifdef COFF_WITH_PE + { + /* PE use a base 64 encoding for long section names whose + index is very large. But contrary to RFC 4648, there is + no padding: 6 characters must be generated. */ + static const char base64[] = + "ABCDEFGHIJKLMNOPQRSTUVWXYZ" + "abcdefghijklmnopqrstuvwxyz" + "0123456789+/"; + unsigned long off = string_size; + unsigned i; + + section.s_name[0] = '/'; + section.s_name[1] = '/'; + for (i = SCNNMLEN - 1; i >= 2; i--) + { + section.s_name[i] = base64[off & 0x3f]; + off >>= 6; + } + } +#endif + if (string_size > 0xffffffffUL - (len + 1) +#ifndef COFF_WITH_PE + || string_size >= 10000000 +#endif + ) { bfd_set_error (bfd_error_file_too_big); _bfd_error_handler @@ -3589,12 +3626,6 @@ coff_write_object_contents (bfd * abfd) return false; } - /* We do not need to use snprintf here as we have already verfied - that string_size is not too big, plus we have an overlarge - buffer, just in case. */ - sprintf (s_name_buf, "/%lu", (unsigned long) string_size); - /* Then strncpy takes care of any padding for us. */ - strncpy (section.s_name, s_name_buf, SCNNMLEN); string_size += len + 1; long_section_names = true; } diff --git a/bfd/coffgen.c b/bfd/coffgen.c index d4c14fba1d9..c81f67c1711 100644 --- a/bfd/coffgen.c +++ b/bfd/coffgen.c @@ -44,6 +44,69 @@ #include "libcoff.h" #include "hashtab.h" +/* Extract a long section name at STRINDEX and copy it to the bfd objstack. + Return NULL in case of error. */ + +static char * +extract_long_section_name(bfd *abfd, unsigned long strindex) +{ + const char *strings; + char *name; + + strings = _bfd_coff_read_string_table (abfd); + if (strings == NULL) + return NULL; + if ((bfd_size_type)(strindex + 2) >= obj_coff_strings_len (abfd)) + return NULL; + strings += strindex; + name = (char *) bfd_alloc (abfd, (bfd_size_type) strlen (strings) + 1); + if (name == NULL) + return NULL; + strcpy (name, strings); + + return name; +} + +/* Decode a base 64 coded string at STR of length LEN, and write the result + to RES. Return true on success. + Return false in case of invalid character or overflow. */ + +static bool +decode_base64 (const char *str, unsigned len, uint32_t *res) +{ + unsigned i; + uint32_t val; + + val = 0; + for (i = 0; i < len; i++) + { + char c = str[i]; + unsigned d; + + if (c >= 'A' && c <= 'Z') + d = c - 'A'; + else if (c >= 'a' && c <= 'z') + d = c - 'a' + 26; + else if (c >= '0' && c <= '9') + d = c - '0' + 52; + else if (c == '+') + d = 62; + else if (c == '/') + d = 63; + else + return false; + + /* Check for overflow. */ + if ((val >> 26) != 0) + return false; + + val = (val << 6) + d; + } + + *res = val; + return true; +} + /* Take a section header read from a coff file (in HOST byte order), and make a BFD "section" out of it. This is used by ECOFF. */ @@ -68,32 +131,48 @@ make_a_section_from_file (bfd *abfd, if (bfd_coff_set_long_section_names (abfd, bfd_coff_long_section_names (abfd)) && hdr->s_name[0] == '/') { - char buf[SCNNMLEN]; - long strindex; - char *p; - const char *strings; - /* Flag that this BFD uses long names, even though the format might expect them to be off by default. This won't directly affect the format of any output BFD created from this one, but the information can be used to decide what to do. */ bfd_coff_set_long_section_names (abfd, true); - memcpy (buf, hdr->s_name + 1, SCNNMLEN - 1); - buf[SCNNMLEN - 1] = '\0'; - strindex = strtol (buf, &p, 10); - if (*p == '\0' && strindex >= 0) + + if (hdr->s_name[1] == '/') { - strings = _bfd_coff_read_string_table (abfd); - if (strings == NULL) - return false; - if ((bfd_size_type)(strindex + 2) >= obj_coff_strings_len (abfd)) + /* LLVM extension: the '/' is followed by another '/' and then by + the index in the strtab encoded in base64 without NUL at the + end. */ + uint32_t strindex; + + /* Decode the index. No overflow is expected as the string table + length is at most 2^32 - 1 (the length is written on the first + four bytes). + Also, contrary to RFC 4648, all the characters must be decoded, + there is no padding. */ + if (!decode_base64 (hdr->s_name + 2, SCNNMLEN - 2, &strindex)) return false; - strings += strindex; - name = (char *) bfd_alloc (abfd, - (bfd_size_type) strlen (strings) + 1 + 1); + + name = extract_long_section_name (abfd, strindex); if (name == NULL) return false; - strcpy (name, strings); + } + else + { + /* PE classic long section name. The '/' is followed by the index + in the strtab. The index is formatted as a decimal string. */ + char buf[SCNNMLEN]; + long strindex; + char *p; + + memcpy (buf, hdr->s_name + 1, SCNNMLEN - 1); + buf[SCNNMLEN - 1] = '\0'; + strindex = strtol (buf, &p, 10); + if (*p == '\0' && strindex >= 0) + { + name = extract_long_section_name (abfd, strindex); + if (name == NULL) + return false; + } } } -- 2.30.2