blob: 9bd9207bb5cfb075821aff726f56675705a0593c (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
|
From 8a5f4f2ebe7f35ac5646060fa51e3332f6ef388c Mon Sep 17 00:00:00 2001
From: Nick Clifton <nickc@redhat.com>
Date: Fri, 4 Jan 2019 13:44:34 +0000
Subject: [PATCH] Fix a possible integer overflow problem when examining
corrupt binaries using a 32-bit binutil.
PR 24005
* objdump.c (load_specific_debug_section): Check for integer
overflow before attempting to allocate contents.
CVE: CVE-2018-20671
Upstream-Status: Backport
[https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=11fa9f134fd658075c6f74499c780df045d9e9ca]
Signed-off-by: Dan Tran <dantran@microsoft.com>
---
binutils/objdump.c | 13 ++++++++++---
1 file changed, 10 insertions(+), 3 deletions(-)
diff --git a/binutils/objdump.c b/binutils/objdump.c
index f468fcdb59..89ca688938 100644
--- a/binutils/objdump.c
+++ b/binutils/objdump.c
@@ -2503,12 +2503,19 @@ load_specific_debug_section (enum dwarf_section_display_enum debug,
section->reloc_info = NULL;
section->num_relocs = 0;
section->address = bfd_get_section_vma (abfd, sec);
+ section->user_data = sec;
section->size = bfd_get_section_size (sec);
amt = section->size + 1;
+ if (amt == 0 || amt > bfd_get_file_size (abfd))
+ {
+ section->start = NULL;
+ free_debug_section (debug);
+ printf (_("\nSection '%s' has an invalid size: %#llx.\n"),
+ section->name, (unsigned long long) section->size);
+ return FALSE;
+ }
section->start = contents = malloc (amt);
- section->user_data = sec;
- if (amt == 0
- || section->start == NULL
+ if (section->start == NULL
|| !bfd_get_full_section_contents (abfd, sec, &contents))
{
free_debug_section (debug);
--
2.22.0.vfs.1.1.57.gbaf16c8
|