Fix potential illegal memroy access when using a build-id note with a negative size.

author Nick Clifton <nickc@redhat.com>

Wed, 20 Jun 2018 15:30:05 +0000 (16:30 +0100)

committer Nick Clifton <nickc@redhat.com>

Wed, 20 Jun 2018 15:30:05 +0000 (16:30 +0100)
author Nick Clifton <nickc@redhat.com>
Wed, 20 Jun 2018 15:30:05 +0000 (16:30 +0100)
committer Nick Clifton <nickc@redhat.com>
Wed, 20 Jun 2018 15:30:05 +0000 (16:30 +0100)
diff --git a/bfd/ChangeLog b/bfd/ChangeLog

index 110115c..bdbdf69 100644 (file)
--- a/bfd/ChangeLog
+++ b/bfd/ChangeLog
@@ -12,6 +12,12 @@
  
  2018-06-20  Nick Clifton  <nickc@redhat.com>
  
+       PR 23316
+       * opncls.c (get_build_id): Check for a negative or excessive data
+       size in the build-id note.
+
+2018-06-20  Nick Clifton  <nickc@redhat.com>
+
         PR 23299
         * mach-o.c (cputype): New function.
         (cpusubtype): New function.
diff --git a/bfd/opncls.c b/bfd/opncls.c

index 16b568c..e275045 100644 (file)
--- a/bfd/opncls.c
+++ b/bfd/opncls.c
@@ -1877,10 +1877,11 @@ get_build_id (bfd *abfd)
    inote.descdata = inote.namedata + BFD_ALIGN (inote.namesz, 4);
    /* FIXME: Should we check for extra notes in this section ?  */
  
-  if (inote.descsz == 0
+  if (inote.descsz <= 0
        || inote.type != NT_GNU_BUILD_ID
        || inote.namesz != 4 /* sizeof "GNU"  */
        || strncmp (inote.namedata, "GNU", 4) != 0
+      || inote.descsz > 0x7ffffffe
        || size < (12 + BFD_ALIGN (inote.namesz, 4) + inote.descsz))
      {
        free (contents);
author	Nick Clifton <nickc@redhat.com>
	Wed, 20 Jun 2018 15:30:05 +0000 (16:30 +0100)
committer	Nick Clifton <nickc@redhat.com>
	Wed, 20 Jun 2018 15:30:05 +0000 (16:30 +0100)
bfd/ChangeLog		patch \| blob \| history
bfd/opncls.c		patch \| blob \| history