From daae68f4f372e0618d6b9c64ec0f1f74eae6ab3d Mon Sep 17 00:00:00 2001 From: Nick Clifton Date: Mon, 5 Dec 2016 12:25:34 +0000 Subject: [PATCH] Fix seg-fault in linker parsing a corrupt input file. PR ld/20924 (aout_link_add_symbols): Fix off by one error checking for overflow of string offset. --- bfd/ChangeLog | 4 ++++ bfd/aoutx.h | 4 ++-- 2 files changed, 6 insertions(+), 2 deletions(-) diff --git a/bfd/ChangeLog b/bfd/ChangeLog index dbb90e7007f..3d9cd9e95a2 100644 --- a/bfd/ChangeLog +++ b/bfd/ChangeLog @@ -4,6 +4,10 @@ * aoutx.h (aout_link_add_symbols): Replace BFD_ASSERT with return FALSE. + PR ld/20924 + (aout_link_add_symbols): Fix off by one error checking for + overflow of string offset. + 2016-12-03 Alan Modra * elf64-ppc.c (struct ppc_link_hash_entry): Delete "was_undefined". diff --git a/bfd/aoutx.h b/bfd/aoutx.h index fb7041abb3d..4de02e26198 100644 --- a/bfd/aoutx.h +++ b/bfd/aoutx.h @@ -3094,7 +3094,7 @@ aout_link_add_symbols (bfd *abfd, struct bfd_link_info *info) return FALSE; ++p; /* PR 19629: Corrupt binaries can contain illegal string offsets. */ - if (GET_WORD (abfd, p->e_strx) > obj_aout_external_string_size (abfd)) + if (GET_WORD (abfd, p->e_strx) >= obj_aout_external_string_size (abfd)) return FALSE; string = strings + GET_WORD (abfd, p->e_strx); section = bfd_ind_section_ptr; @@ -3130,7 +3130,7 @@ aout_link_add_symbols (bfd *abfd, struct bfd_link_info *info) ++p; string = name; /* PR 19629: Corrupt binaries can contain illegal string offsets. */ - if (GET_WORD (abfd, p->e_strx) > obj_aout_external_string_size (abfd)) + if (GET_WORD (abfd, p->e_strx) >= obj_aout_external_string_size (abfd)) return FALSE; name = strings + GET_WORD (abfd, p->e_strx); section = bfd_und_section_ptr; -- 2.30.2