Fix illegal memory access triggered when parsing a PE binary with a corrupt data dictionary.

PR 22373 * peicode.h (pe_bfd_read_buildid): Check for invalid size and data offset values.
author: Nick Clifton <nickc@redhat.com> 2017-10-31 14:29:40 +0000
committer: Nick Clifton <nickc@redhat.com> 2017-10-31 14:29:40 +0000
commit: 0bb6961f18b8e832d88b490d421ca56cea16c45b (patch)
tree: abfdb80a84ee56a422f7f3605f4461f5228a5c40 /bfd/peicode.h
parent: 45ac8f4f107f50d77a8514ee8a244b82c1a8ea0c (diff)
download: binutils-gdb-0bb6961f18b8e832d88b490d421ca56cea16c45b.tar.gz
1 files changed, 6 insertions, 3 deletions
diff --git a/bfd/peicode.h b/bfd/peicode.h
index 2dffb12072b..f3b759cce88 100644
--- a/bfd/peicode.h
+++ b/bfd/peicode.h
@@ -1303,7 +1303,6 @@ pe_bfd_read_buildid (bfd *abfd)
   bfd_byte *data = 0;
   bfd_size_type dataoff;
   unsigned int i;
-
   bfd_vma addr = extra->DataDirectory[PE_DEBUG_DATA].VirtualAddress;
   bfd_size_type size = extra->DataDirectory[PE_DEBUG_DATA].Size;
 
@@ -1327,8 +1326,12 @@ pe_bfd_read_buildid (bfd *abfd)
 
   dataoff = addr - section->vma;
 
-  /* PR 20605: Make sure that the data is really there.  */
-  if (dataoff + size > section->size)
+  /* PR 20605 and 22373: Make sure that the data is really there.
+     Note - since we are dealing with unsigned quantities we have
+     to be careful to check for potential overflows.  */
+  if (dataoff > section->size
+      || size > section->size
+      || dataoff + size > section->size)
     {
       _bfd_error_handler (_("%B: Error: Debug Data ends beyond end of debug directory."),
 			  abfd);
author	Nick Clifton <nickc@redhat.com>	2017-10-31 14:29:40 +0000
committer	Nick Clifton <nickc@redhat.com>	2017-10-31 14:29:40 +0000
commit	0bb6961f18b8e832d88b490d421ca56cea16c45b (patch)
tree	abfdb80a84ee56a422f7f3605f4461f5228a5c40 /bfd/peicode.h
parent	45ac8f4f107f50d77a8514ee8a244b82c1a8ea0c (diff)
download	binutils-gdb-0bb6961f18b8e832d88b490d421ca56cea16c45b.tar.gz