Fix buffer read overrun by ensuring that DWARF sections containing strings always end in a NUL byte.

	PR 22047
	* dwarf2.c (read_section): If necessary add a terminating NUL byte
	to dwarf string sections.

1 files changed, 23 insertions, 0 deletions

diff --git a/bfd/dwarf2.c b/bfd/dwarf2.c
index 22d6d56407f..40a187a1a43 100644
--- a/bfd/dwarf2.c
+++ b/bfd/dwarf2.c
@@ -566,6 +566,29 @@ read_section (bfd *           abfd,
 					  0, *section_size))
 	    return FALSE;
 	}
+
+      /* Paranoia - if we are reading in a string section, make sure that it
+	 is NUL terminated.  This is to prevent string functions from running
+	 off the end of the buffer.  Note - knowing the size of the buffer is
+	 not enough as some functions, eg strchr, do not have a range limited
+	 equivalent.
+
+	 FIXME: We ought to use a flag in the dwarf_debug_sections[] table to
+	 determine the nature of a debug section, rather than checking the
+	 section name as we do here.  */
+      if (*section_size > 0
+	  && (*section_buffer)[*section_size - 1] != 0
+	  && (strstr (section_name, "_str") || strstr (section_name, "names")))
+	{
+	  bfd_byte * new_buffer = malloc (*section_size + 1);
+
+	  _bfd_error_handler (_("warning: dwarf string section '%s' is not NUL terminated"),
+			      section_name);
+	  memcpy (new_buffer, *section_buffer, *section_size);
+	  new_buffer[*section_size] = 0;
+	  free (*section_buffer);
+	  *section_buffer = new_buffer;
+	}
     }
 
   /* It is possible to get a bad value for the offset into the section