Remove an abort in the bfd library and add a check for an integer overflow when mappi...
authorNick Clifton <nickc@redhat.com>
Fri, 30 Nov 2018 11:43:12 +0000 (11:43 +0000)
committerNick Clifton <nickc@redhat.com>
Fri, 30 Nov 2018 11:43:12 +0000 (11:43 +0000)
PR 23932
* elf.c (IS_CONTAINED_BY_LMA): Add a check for a negative section
size.
(rewrite_elf_program_header): If no sections are mapped into a
segment return an error.

bfd/ChangeLog
bfd/elf.c

index 8f455ae..6ea4835 100644 (file)
@@ -1,3 +1,11 @@
+2018-11-30  Nick Clifton  <nickc@redhat.com>
+
+       PR 23932
+       * elf.c (IS_CONTAINED_BY_LMA): Add a check for a negative section
+       size.
+       (rewrite_elf_program_header): If no sections are mapped into a
+       segment return an error.
+
 2018-11-30  Alan Modra  <amodra@gmail.com>
 
        PR 23937
index 604971d..79a76be 100644 (file)
--- a/bfd/elf.c
+++ b/bfd/elf.c
@@ -6644,6 +6644,7 @@ rewrite_elf_program_header (bfd *ibfd, bfd *obfd)
      the given segment.  LMA addresses are compared.  */
 #define IS_CONTAINED_BY_LMA(section, segment, base)                    \
   (section->lma >= base                                                        \
+   && (section->lma + SECTION_SIZE (section, segment) >= section->lma) \
    && (section->lma + SECTION_SIZE (section, segment)                  \
        <= SEGMENT_END (segment, base)))
 
@@ -7167,7 +7168,15 @@ rewrite_elf_program_header (bfd *ibfd, bfd *obfd)
                suggested_lma = output_section;
            }
 
-         BFD_ASSERT (map->count > 0);
+         /* PR 23932.  A corrupt input file may contain sections that cannot
+            be assigned to any segment - because for example they have a
+            negative size - or segments that do not contain any sections.  */
+         if (map->count == 0)
+           {
+             bfd_set_error (bfd_error_bad_value);
+             free (sections);
+             return FALSE;
+           }
 
          /* Add the current segment to the list of built segments.  */
          *pointer_to_map = map;