Fix a possible integer overflow problem when examining corrupt binaries using a 32...

	PR 24005
	* objdump.c (load_specific_debug_section): Check for integer
	overflow before attempting to allocate contents.

diff --git a/binutils/ChangeLog b/binutils/ChangeLog
index c1b2d0b..9fef84b 100644 (file)
--- a/binutils/ChangeLog
+++ b/binutils/ChangeLog
@@ -1,11 +1,18 @@
 2019-01-04  Nick Clifton  <nickc@redhat.com>
 
+       PR 24005
+       * objdump.c (load_specific_debug_section): Check for integer
+       overflow before attempting to allocate contents.
+
+2019-01-04  Nick Clifton  <nickc@redhat.com>
+
        PR 24001
        * objcopy.c (copy_object): Free dhandle after writing out the
        debug information.
        * objdump.c (dump_bfd): Free dhandle after printing out the debug
        information.
 
+
 2019-01-01  Alan Modra  <amodra@gmail.com>
 
        Update year range in copyright notice of all files.

diff --git a/binutils/objdump.c b/binutils/objdump.c
index 220d93a..f1e6d2e 100644 (file)
--- a/binutils/objdump.c
+++ b/binutils/objdump.c
@@ -2539,12 +2539,19 @@ load_specific_debug_section (enum dwarf_section_display_enum debug,
   section->reloc_info = NULL;
   section->num_relocs = 0;
   section->address = bfd_get_section_vma (abfd, sec);
+  section->user_data = sec;
   section->size = bfd_get_section_size (sec);
   amt = section->size + 1;
+  if (amt == 0 || amt > bfd_get_file_size (abfd))
+    {
+      section->start = NULL;
+      free_debug_section (debug);
+      printf (_("\nSection '%s' has an invalid size: %#llx.\n"),
+             section->name, (unsigned long long) section->size);
+      return FALSE;
+    }
   section->start = contents = malloc (amt);
-  section->user_data = sec;
-  if (amt == 0
-      || section->start == NULL
+  if (section->start == NULL
       || !bfd_get_full_section_contents (abfd, sec, &contents))
     {
       free_debug_section (debug);