Prevent a buffer overrun error when attempting to parse a corrupt ELF file.

PR 24273 * elf.c (bfd_elf_string_from_elf_section): Check for a string section that is not NUL terminated.
2019-02-28 14:30:20 +00:00 · 2019-02-28 14:30:20 +00:00 · eed5def8d0
commit eed5def8d0
parent 9c4c331816
2 changed files with 17 additions and 1 deletions
--- a/bfd/ChangeLog
+++ b/bfd/ChangeLog
@ -1,3 +1,9 @@
+2019-02-28  Nick Clifton  <nickc@redhat.com>
+
+	PR 24273
+	* elf.c (bfd_elf_string_from_elf_section): Check for a string
+	section that is not NUL terminated.
+
 2019-02-27  H.J. Lu  <hongjiu.lu@intel.com>

 	PR ld/24276
--- a/bfd/elf.c
+++ b/bfd/elf.c
@ -351,6 +351,16 @@ bfd_elf_string_from_elf_section (bfd *abfd,
      if (bfd_elf_get_str_section (abfd, shindex) == NULL)
 	return NULL;
    }
+  else
+    {
+      /* PR 24273: The string section's contents may have already
+	 been loaded elsewhere, eg because a corrupt file has the
+	 string section index in the ELF header pointing at a group
+	 section.  So be paranoid, and test that the last byte of
+	 the section is zero.  */
+      if (hdr->sh_size == 0 || hdr->contents[hdr->sh_size - 1] != 0)
+	return NULL;
+    }

  if (strindex >= hdr->sh_size)
    {
@ -655,7 +665,7 @@ setup_group (bfd *abfd, Elf_Internal_Shdr *hdr, asection *newsect)
 		  BFD_ASSERT (sizeof (*dest) >= 4);
 		  amt = shdr->sh_size * sizeof (*dest) / 4;
 		  shdr->contents = (unsigned char *)
-		      bfd_alloc2 (abfd, shdr->sh_size, sizeof (*dest) / 4);
+		    bfd_alloc2 (abfd, shdr->sh_size, sizeof (*dest) / 4);
 		  /* PR binutils/4110: Handle corrupt group headers.  */
 		  if (shdr->contents == NULL)
 		    {