Check number of sections overflow

	* elf.c (assign_section_numbers): Check if number of sections
	>= SHN_LORESERVE.
	* elfcode.h (elf_object_p): Likewise.

diff --git a/bfd/ChangeLog b/bfd/ChangeLog
index f6d368e..d48c506 100644 (file)
--- a/bfd/ChangeLog
+++ b/bfd/ChangeLog
@@ -1,3 +1,9 @@
+2012-07-03  H.J. Lu  <hongjiu.lu@intel.com>
+
+       * elf.c (assign_section_numbers): Check if number of sections
+       >= SHN_LORESERVE.
+       * elfcode.h (elf_object_p): Likewise.
+
 2012-07-03  Nick Clifton  <nickc@redhat.com>
 
        * archive.c (bsd_write_armap): Catch attempts to create an archive

diff --git a/bfd/elf.c b/bfd/elf.c
index 532c7f9..48e5d68 100644 (file)
--- a/bfd/elf.c
+++ b/bfd/elf.c
@@ -3014,6 +3014,13 @@ assign_section_numbers (bfd *abfd, struct bfd_link_info *link_info)
       _bfd_elf_strtab_addref (elf_shstrtab (abfd), t->strtab_hdr.sh_name);
     }
 
+  if (section_number >= SHN_LORESERVE)
+    {
+      _bfd_error_handler (_("%B: too many sections: %u"),
+                         abfd, section_number);
+      return FALSE;
+    }
+
   _bfd_elf_strtab_finalize (elf_shstrtab (abfd));
   t->shstrtab_hdr.sh_size = _bfd_elf_strtab_size (elf_shstrtab (abfd));
 

diff --git a/bfd/elfcode.h b/bfd/elfcode.h
index cc55c86..30bda73 100644 (file)
--- a/bfd/elfcode.h
+++ b/bfd/elfcode.h
@@ -633,8 +633,9 @@ elf_object_p (bfd *abfd)
       if (i_ehdrp->e_shnum == SHN_UNDEF)
        {
          i_ehdrp->e_shnum = i_shdr.sh_size;
-         if (i_ehdrp->e_shnum != i_shdr.sh_size
-             || i_ehdrp->e_shnum == 0)
+         if (i_ehdrp->e_shnum >= SHN_LORESERVE
+             || i_ehdrp->e_shnum != i_shdr.sh_size
+             || i_ehdrp->e_shnum  == 0)
            goto got_wrong_format_error;
        }