[patch] sanity check bfd_is_section_compressed header

Wed Jun 5 19:18:00 GMT 2013

Had a customer library where the first string in [non-compressed]
.debug_str was "ZLIB_COMPRESS_ERROR".  The linker tried to allocate a
few hundred terabytes to decompress it, because it *only* checks for
"ZLIB" as the signature.  On ASCII systems, this sanity check assumes
an uncompressed size greater than half a terabyte is unreasonable.  Is
this a reasonable sanity check?  (if you answer "no" you get to come
up with a better check ;)

	* compress.c (bfd_is_section_compressed): Sanity check the ZLIB
	header in case the first string happens to start with ZLIB.
 
Index: compress.c
===================================================================
RCS file: /cvs/src/src/bfd/compress.c,v
retrieving revision 1.20
diff -p -U 5 -r1.20 compress.c

--- compress.c	17 Apr 2013 14:16:01 -0000	1.20
+++ compress.c	5 Jun 2013 19:08:21 -0000
@@ -20,10 +20,11 @@
    MA 02110-1301, USA.  */
 
 #include "sysdep.h"
 #include "bfd.h"
 #include "libbfd.h"
+#include "safe-ctype.h"
 #ifdef HAVE_ZLIB_H
 #include <zlib.h>
 #endif
 
 #ifdef HAVE_ZLIB_H
@@ -302,10 +303,17 @@ bfd_is_section_compressed (bfd *abfd, se
   /* Read the zlib header.  In this case, it should be "ZLIB" followed
      by the uncompressed section size, 8 bytes in big-endian order.  */
   compressed = (bfd_get_section_contents (abfd, sec, compressed_buffer, 0, 12)
 		&& CONST_STRNEQ ((char*) compressed_buffer, "ZLIB"));
 
+  /* Sanity check, in case the first string in the section *happens*
+     to start with "ZLIB".  Uncompressed data will appear unreasonably
+     large if either of the next two bytes happen to be valid symbol name
+     characters.  */
+  if (ISPRINT (compressed_buffer[4]) || ISPRINT (compressed_buffer[5]))
+    compressed = 0;
+
   /* Restore compress_status.  */
   sec->compress_status = saved;
   return compressed;
 }
 

