From eed5def8d0b7b64c3592be75a9b22bb4ce1a78f4 Mon Sep 17 00:00:00 2001 From: Nick Clifton Date: Thu, 28 Feb 2019 14:30:20 +0000 Subject: [PATCH] Prevent a buffer overrun error when attempting to parse a corrupt ELF file. PR 24273 * elf.c (bfd_elf_string_from_elf_section): Check for a string section that is not NUL terminated. --- bfd/ChangeLog | 6 ++++++ bfd/elf.c | 12 +++++++++++- 2 files changed, 17 insertions(+), 1 deletion(-) diff --git a/bfd/ChangeLog b/bfd/ChangeLog index f0aec1f6556..100c453eae7 100644 --- a/bfd/ChangeLog +++ b/bfd/ChangeLog @@ -1,3 +1,9 @@ +2019-02-28 Nick Clifton + + PR 24273 + * elf.c (bfd_elf_string_from_elf_section): Check for a string + section that is not NUL terminated. + 2019-02-27 H.J. Lu PR ld/24276 diff --git a/bfd/elf.c b/bfd/elf.c index f16acaa08d8..852b966efbe 100644 --- a/bfd/elf.c +++ b/bfd/elf.c @@ -351,6 +351,16 @@ bfd_elf_string_from_elf_section (bfd *abfd, if (bfd_elf_get_str_section (abfd, shindex) == NULL) return NULL; } + else + { + /* PR 24273: The string section's contents may have already + been loaded elsewhere, eg because a corrupt file has the + string section index in the ELF header pointing at a group + section. So be paranoid, and test that the last byte of + the section is zero. */ + if (hdr->sh_size == 0 || hdr->contents[hdr->sh_size - 1] != 0) + return NULL; + } if (strindex >= hdr->sh_size) { @@ -655,7 +665,7 @@ setup_group (bfd *abfd, Elf_Internal_Shdr *hdr, asection *newsect) BFD_ASSERT (sizeof (*dest) >= 4); amt = shdr->sh_size * sizeof (*dest) / 4; shdr->contents = (unsigned char *) - bfd_alloc2 (abfd, shdr->sh_size, sizeof (*dest) / 4); + bfd_alloc2 (abfd, shdr->sh_size, sizeof (*dest) / 4); /* PR binutils/4110: Handle corrupt group headers. */ if (shdr->contents == NULL) { -- 2.30.2