From 890f750a3b053532a4b839a2dd6243076de12031 Mon Sep 17 00:00:00 2001
From: Alan Modra <amodra@gmail.com>
Date: Fri, 21 Jun 2019 11:51:38 +0930
Subject: [PATCH] PR24689, string table corruption

The testcase in the PR had a e_shstrndx section of type SHT_GROUP.
hdr->contents were initialized by setup_group rather than being read
from the file, thus last byte was not zero and string dereference ran
off the end of the buffer.

	PR 24689
	* elfcode.h (elf_object_p): Check type of e_shstrndx section.

Upstream-Status: Backport
https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=890f750a3b053532a4b839a2dd6243076de12031

CVE: CVE-2019-12972
Affects: <= 2.23.0
Dropped Changelog
Signed-off-by Armin Kuster <akuster@mvista.com>
---
 bfd/ChangeLog | 5 +++++
 bfd/elfcode.h | 3 ++-
 2 files changed, 7 insertions(+), 1 deletion(-)

Index: git/bfd/elfcode.h
===================================================================
--- git.orig/bfd/elfcode.h
+++ git/bfd/elfcode.h
@@ -747,7 +747,8 @@ elf_object_p (bfd *abfd)
   /* A further sanity check.  */
   if (i_ehdrp->e_shnum != 0)
     {
-      if (i_ehdrp->e_shstrndx >= elf_numsections (abfd))
+      if (i_ehdrp->e_shstrndx >= elf_numsections (abfd)
+	  || i_shdrp[i_ehdrp->e_shstrndx].sh_type != SHT_STRTAB)
 	{
 	  /* PR 2257:
 	     We used to just goto got_wrong_format_error here