fix out-of-bounds access in elf.c:find_link

The out-of-bounds access is reproducible on 'ia64-strip' command
(see sample from https://bugs.gentoo.org/show_bug.cgi?id=622500)

The output file contains less section than original one.
This tricks 'hint' access to go out-of-bounds:

	* elf.c (find_link): Bounds check "hint".

diff --git a/bfd/ChangeLog b/bfd/ChangeLog
index f7ef5e1..945cb68 100644 (file)
--- a/bfd/ChangeLog
+++ b/bfd/ChangeLog
@@ -1,3 +1,7 @@
+2017-06-25  Sergei Trofimovich  <slyfox@gentoo.org>
+
+       * elf.c (find_link): Bounds check "hint".
+
 2017-06-24  Thomas Preud'homme  <thomas.preudhomme@arm.com>
 
        * elf32-arm.c (using_thumb_only): Update list of architectures in

diff --git a/bfd/elf.c b/bfd/elf.c
index 5f37e7f..76c6a5c 100644 (file)
--- a/bfd/elf.c
+++ b/bfd/elf.c
@@ -1283,7 +1283,8 @@ section_match (const Elf_Internal_Shdr * a,
    to be the correct section.  */
 
 static unsigned int
-find_link (const bfd * obfd, const Elf_Internal_Shdr * iheader, const unsigned int hint)
+find_link (const bfd *obfd, const Elf_Internal_Shdr *iheader,
+          const unsigned int hint)
 {
   Elf_Internal_Shdr ** oheaders = elf_elfsections (obfd);
   unsigned int i;
@@ -1291,7 +1292,8 @@ find_link (const bfd * obfd, const Elf_Internal_Shdr * iheader, const unsigned i
   BFD_ASSERT (iheader != NULL);
 
   /* See PR 20922 for a reproducer of the NULL test.  */
-  if (oheaders[hint] != NULL
+  if (hint < elf_numsections (obfd)
+      && oheaders[hint] != NULL
       && section_match (oheaders[hint], iheader))
     return hint;