This is the mail archive of the
binutils@sourceware.org
mailing list for the binutils project.
PR19323 memory allocation greater than 4G
- From: Alan Modra <amodra at gmail dot com>
- To: binutils at sourceware dot org
- Date: Mon, 7 Dec 2015 13:50:28 +1030
- Subject: PR19323 memory allocation greater than 4G
- Authentication-results: sourceware.org; auth=none
On 32-bit targets, memory requested for program/section headers on a
fuzzed binary can wrap to 0. A bfd_alloc of zero bytes actually
returns a one byte allocation rather than a NULL pointer. This then
leads to buffer overflows.
Making this check unconditional triggers an extremely annoying gcc-5
warning.
PR19323
* elfcode.h (elf_object_p): Check for ridiculous e_shnum and
e_phnum values.
diff --git a/bfd/elfcode.h b/bfd/elfcode.h
index 26af1d1..915c8d5 100644
--- a/bfd/elfcode.h
+++ b/bfd/elfcode.h
@@ -676,6 +676,10 @@ elf_object_p (bfd *abfd)
Elf_Internal_Shdr *shdrp;
unsigned int num_sec;
+#ifndef BFD64
+ if (i_ehdrp->e_shnum > ((bfd_size_type) -1) / sizeof (*i_shdrp))
+ goto got_wrong_format_error;
+#endif
amt = sizeof (*i_shdrp) * i_ehdrp->e_shnum;
i_shdrp = (Elf_Internal_Shdr *) bfd_alloc (abfd, amt);
if (!i_shdrp)
@@ -766,7 +770,11 @@ elf_object_p (bfd *abfd)
Elf_Internal_Phdr *i_phdr;
unsigned int i;
- amt = i_ehdrp->e_phnum * sizeof (Elf_Internal_Phdr);
+#ifndef BFD64
+ if (i_ehdrp->e_phnum > ((bfd_size_type) -1) / sizeof (*i_phdr))
+ goto got_wrong_format_error;
+#endif
+ amt = i_ehdrp->e_phnum * sizeof (*i_phdr);
elf_tdata (abfd)->phdr = (Elf_Internal_Phdr *) bfd_alloc (abfd, amt);
if (elf_tdata (abfd)->phdr == NULL)
goto got_no_match;
--
Alan Modra
Australia Development Lab, IBM