Fix potential illegal memroy access when using a build-id note with a negative size.

author Nick Clifton <nickc@redhat.com>

Wed, 20 Jun 2018 15:30:05 +0000 (16:30 +0100)

committer Nick Clifton <nickc@redhat.com>

Wed, 20 Jun 2018 15:30:05 +0000 (16:30 +0100)
author Nick Clifton <nickc@redhat.com>
Wed, 20 Jun 2018 15:30:05 +0000 (16:30 +0100)
committer Nick Clifton <nickc@redhat.com>
Wed, 20 Jun 2018 15:30:05 +0000 (16:30 +0100)
diff --git a/bfd/ChangeLog b/bfd/ChangeLog

index 110115c438ea9db828c148b48cbe8e5e68078100..bdbdf69d5aacbac25f7cb771f1a4e54b8a8a5db7 100644 (file)
--- a/bfd/ChangeLog
+++ b/bfd/ChangeLog
@@ -10,6 +10,12 @@
         BFD_RELOC_AARCH64_TLSLE_LDST64_TPREL_LO12_NC,
         BFD_RELOC_AARCH64_TLSLE_LDST8_TPREL_LO12_NC.
  
+2018-06-20  Nick Clifton  <nickc@redhat.com>
+
+       PR 23316
+       * opncls.c (get_build_id): Check for a negative or excessive data
+       size in the build-id note.
+
  2018-06-20  Nick Clifton  <nickc@redhat.com>
  
         PR 23299
diff --git a/bfd/opncls.c b/bfd/opncls.c

index 16b568c8ab2d5e65f58ea8ea83d6744fc7fbdce3..e27504545cf177497b7c968241445b8beb2e67f2 100644 (file)
--- a/bfd/opncls.c
+++ b/bfd/opncls.c
@@ -1877,10 +1877,11 @@ get_build_id (bfd *abfd)
    inote.descdata = inote.namedata + BFD_ALIGN (inote.namesz, 4);
    /* FIXME: Should we check for extra notes in this section ?  */
  
-  if (inote.descsz == 0
+  if (inote.descsz <= 0
        || inote.type != NT_GNU_BUILD_ID
        || inote.namesz != 4 /* sizeof "GNU"  */
        || strncmp (inote.namedata, "GNU", 4) != 0
+      || inote.descsz > 0x7ffffffe
        || size < (12 + BFD_ALIGN (inote.namesz, 4) + inote.descsz))
      {
        free (contents);
author	Nick Clifton <nickc@redhat.com>
	Wed, 20 Jun 2018 15:30:05 +0000 (16:30 +0100)
committer	Nick Clifton <nickc@redhat.com>
	Wed, 20 Jun 2018 15:30:05 +0000 (16:30 +0100)
bfd/ChangeLog		patch \| blob \| blame \| history
bfd/opncls.c		patch \| blob \| blame \| history