blob: 325c339b886012e6e9d5bf39e075cc31a0185bdd (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
|
From 45a0eaf77022963d639d6d19871dbab7b79703fc Mon Sep 17 00:00:00 2001
From: Alan Modra <amodra@gmail.com>
Date: Tue, 23 Oct 2018 19:02:06 +1030
Subject: [PATCH] PR23806, NULL pointer dereference in merge_strings
PR 23806
* merge.c (_bfd_add_merge_section): Don't attempt to merge
sections with ridiculously large alignments.
Upstream-Status: Backport
CVE: CVE-2018-18606
Signed-off-by: Zhixiong Chi <zhixiong.chi@windriver.com>
---
bfd/ChangeLog | 6 ++++++
bfd/merge.c | 15 +++++++++++----
2 files changed, 17 insertions(+), 4 deletions(-)
--- a/bfd/merge.c
+++ b/bfd/merge.c
@@ -24,6 +24,7 @@
as used in ELF SHF_MERGE. */
#include "sysdep.h"
+#include <limits.h>
#include "bfd.h"
#include "elf-bfd.h"
#include "libbfd.h"
@@ -385,12 +386,18 @@ _bfd_add_merge_section (bfd *abfd, void
return TRUE;
}
- align = sec->alignment_power;
- if ((sec->entsize < (unsigned) 1 << align
+#ifndef CHAR_BIT
+#define CHAR_BIT 8
+#endif
+ if (sec->alignment_power >= sizeof (align) * CHAR_BIT)
+ return TRUE;
+
+ align = 1u << sec->alignment_power;
+ if ((sec->entsize < align
&& ((sec->entsize & (sec->entsize - 1))
|| !(sec->flags & SEC_STRINGS)))
- || (sec->entsize > (unsigned) 1 << align
- && (sec->entsize & (((unsigned) 1 << align) - 1))))
+ || (sec->entsize > align
+ && (sec->entsize & (align - 1))))
{
/* Sanity check. If string character size is smaller than
alignment, then we require character size to be a power
|
