From 531336e3a0b79ed60cfc36ad2d6579b6a71175da Mon Sep 17 00:00:00 2001 From: Nick Clifton Date: Fri, 2 Dec 2016 16:41:14 +0000 Subject: [PATCH] Fix seg-fault in the linker when examining a corrupt binary. PR ld/20909 * aoutx.h (aout_link_add_symbols): Fix off-by-one error in check for an illegal string offset. Upstream-Status: Backport CVE: CVE-2017-7300 VER: < 2.27-r0.9.1 Signed-off-by: Manjunath Matti --- bfd/ChangeLog | 6 ++++++ bfd/aoutx.h | 3 +-- 2 files changed, 7 insertions(+), 2 deletions(-) diff --git a/bfd/ChangeLog b/bfd/ChangeLog index d061e66..c8085e7 100644 --- a/bfd/ChangeLog +++ b/bfd/ChangeLog @@ -175,6 +175,12 @@ * aoutx.h (find_nearest_line): Handle the case where the function name is empty. +2016-12-02 Nick Clifton + + PR ld/20909 + * aoutx.h (aout_link_add_symbols): Fix off-by-one error in check + for an illegal string offset. + 2016-08-02 Nick Clifton PR ld/17739 diff --git a/bfd/aoutx.h b/bfd/aoutx.h index 4308679..b9ac2b7 100644 --- a/bfd/aoutx.h +++ b/bfd/aoutx.h @@ -3031,10 +3031,9 @@ aout_link_add_symbols (bfd *abfd, struct bfd_link_info *info) continue; /* PR 19629: Corrupt binaries can contain illegal string offsets. */ - if (GET_WORD (abfd, p->e_strx) > obj_aout_external_string_size (abfd)) + if (GET_WORD (abfd, p->e_strx) >= obj_aout_external_string_size (abfd)) return FALSE; name = strings + GET_WORD (abfd, p->e_strx); - value = GET_WORD (abfd, p->e_value); flags = BSF_GLOBAL; string = NULL; -- 2.9.3