From b899eb3bb807be1094fde9a2f1c8628232bc0743 Mon Sep 17 00:00:00 2001
From: Nick Clifton <nickc@redhat.com>
Date: Thu, 9 Jan 2020 15:49:08 +0000
Subject: [PATCH] Fix an illegal memory access triggered when trying to examine
 an input file containing corrupt compressed sections.

	PR 25221
	* bfd.c (bfd_convert_section_contents): Check for a compress
	header size that is larger than the actual section size.
---
 bfd/ChangeLog |  6 ++++++
 bfd/bfd.c     | 16 ++++++++++++++--
 2 files changed, 20 insertions(+), 2 deletions(-)

diff --git a/bfd/ChangeLog b/bfd/ChangeLog
index 306f2e6512..aae0832e3d 100644
--- a/bfd/ChangeLog
+++ b/bfd/ChangeLog
@@ -1,3 +1,9 @@
+2020-01-09  Nick Clifton  <nickc@redhat.com>
+
+	PR 25221
+	* bfd.c (bfd_convert_section_contents): Check for a compress
+	header size that is larger than the actual section size.
+
 2020-01-08  Alan Modra  <amodra@gmail.com>
 
 	PR 25351
diff --git a/bfd/bfd.c b/bfd/bfd.c
index d590e0a4e9..b1050626b6 100644
--- a/bfd/bfd.c
+++ b/bfd/bfd.c
@@ -2768,7 +2768,7 @@ bfd_convert_section_contents (bfd *ibfd, sec_ptr isec, bfd *obfd,
       || bfd_get_flavour (obfd) != bfd_target_elf_flavour)
     return TRUE;
 
-  /* Do nothing if ELF classes of input and output are the same. */
+  /* Do nothing if ELF classes of input and output are the same.  */
   if (get_elf_backend_data (ibfd)->s->elfclass
       == get_elf_backend_data (obfd)->s->elfclass)
     return TRUE;
@@ -2782,11 +2782,17 @@ bfd_convert_section_contents (bfd *ibfd, sec_ptr isec, bfd *obfd,
   if ((ibfd->flags & BFD_DECOMPRESS))
     return TRUE;
 
-  /* Do nothing if the input section isn't a SHF_COMPRESSED section. */
+  /* Do nothing if the input section isn't a SHF_COMPRESSED section.  */
   ihdr_size = bfd_get_compression_header_size (ibfd, isec);
   if (ihdr_size == 0)
     return TRUE;
 
+  /* PR 25221.  Check for corrupt input sections.  */
+  if (ihdr_size > bfd_get_section_limit (ibfd, isec))
+    /* FIXME: Issue a warning about a corrupt
+       compression header size field ?  */
+    return FALSE;
+
   contents = *ptr;
 
   /* Convert the contents of the input SHF_COMPRESSED section to
@@ -2803,6 +2809,12 @@ bfd_convert_section_contents (bfd *ibfd, sec_ptr isec, bfd *obfd,
 
       use_memmove = FALSE;
     }
+  else if (ihdr_size != sizeof (Elf64_External_Chdr))
+    {
+      /* FIXME: Issue a warning about a corrupt
+	 compression header size field ?  */
+      return FALSE;
+    }
   else
     {
       Elf64_External_Chdr *echdr = (Elf64_External_Chdr *) contents;
-- 
2.34.1