Prevent illegal memory accesses when attempting to read excessively large COFF line...

author Nick Clifton <nickc@redhat.com>

Wed, 1 Nov 2017 15:21:46 +0000 (15:21 +0000)

committer Nick Clifton <nickc@redhat.com>

Wed, 1 Nov 2017 15:21:46 +0000 (15:21 +0000)
author Nick Clifton <nickc@redhat.com>
Wed, 1 Nov 2017 15:21:46 +0000 (15:21 +0000)
committer Nick Clifton <nickc@redhat.com>
Wed, 1 Nov 2017 15:21:46 +0000 (15:21 +0000)
diff --git a/bfd/ChangeLog b/bfd/ChangeLog

index 60fbc9c..35308ab 100644 (file)
--- a/bfd/ChangeLog
+++ b/bfd/ChangeLog
@@ -1,5 +1,11 @@
  2017-11-01  Nick Clifton  <nickc@redhat.com>
  
+       PR 22376
+       * coffcode.h (coff_slurp_line_table): Check for an excessively
+       large line number count.
+
+2017-11-01  Nick Clifton  <nickc@redhat.com>
+
         PR 22373
         * peicode.h (pe_bfd_read_buildid): Revise check for invalid size
         and offset in light of further possible bogus values.
diff --git a/bfd/coffcode.h b/bfd/coffcode.h

index 21308de..6da0afa 100644 (file)
--- a/bfd/coffcode.h
+++ b/bfd/coffcode.h
@@ -4578,6 +4578,14 @@ coff_slurp_line_table (bfd *abfd, asection *asect)
  
    BFD_ASSERT (asect->lineno == NULL);
  
+  if (asect->lineno_count > asect->size)
+    {
+      _bfd_error_handler
+       (_("%B: warning: line number count (%#lx) exceeds section size (%#lx)"),
+        abfd, (unsigned long) asect->lineno_count, (unsigned long) asect->size);
+      return FALSE;
+    }
+
    amt = ((bfd_size_type) asect->lineno_count + 1) * sizeof (alent);
    lineno_cache = (alent *) bfd_alloc (abfd, amt);
    if (lineno_cache == NULL)
author	Nick Clifton <nickc@redhat.com>
	Wed, 1 Nov 2017 15:21:46 +0000 (15:21 +0000)
committer	Nick Clifton <nickc@redhat.com>
	Wed, 1 Nov 2017 15:21:46 +0000 (15:21 +0000)
bfd/ChangeLog		patch \| blob \| history
bfd/coffcode.h		patch \| blob \| history