From 9ca499644a21ceb3f946d1c179c38a83be084490 Mon Sep 17 00:00:00 2001
From: "H.J. Lu" <hjl.tools@gmail.com>
Date: Thu, 18 Sep 2025 16:59:25 -0700
Subject: [PATCH] elf: Don't match corrupt section header in linker input

Don't swap in nor match corrupt section header in linker input to avoid
linker crash later.

	PR ld/33457
	* elfcode.h (elf_swap_shdr_in): Changed to return bool.  Return
	false for corrupt section header in linker input.
	(elf_object_p): Reject if elf_swap_shdr_in returns false.

Signed-off-by: H.J. Lu <hjl.tools@gmail.com>
---
 bfd/elfcode.h | 14 +++++++++-----
 1 file changed, 9 insertions(+), 5 deletions(-)

--- binutils-2.30.orig/bfd/elfcode.h	2025-11-12 10:36:58.003807494 +0000
+++ binutils-2.30/bfd/elfcode.h	2025-11-12 10:38:58.300780133 +0000
@@ -298,7 +298,7 @@ elf_swap_ehdr_out (bfd *abfd,
 /* Translate an ELF section header table entry in external format into an
    ELF section header table entry in internal format.  */
 
-static void
+static bfd_boolean
 elf_swap_shdr_in (bfd *abfd,
 		  const Elf_External_Shdr *src,
 		  Elf_Internal_Shdr *dst)
@@ -314,12 +314,31 @@ elf_swap_shdr_in (bfd *abfd,
     dst->sh_addr = H_GET_WORD (abfd, src->sh_addr);
   dst->sh_offset = H_GET_WORD (abfd, src->sh_offset);
   dst->sh_size = H_GET_WORD (abfd, src->sh_size);
+
+  /* PR 23657.  Check for invalid section size, in sections with contents.
+     Note - we do not set an error value here because the contents
+     of this particular section might not be needed by the consumer.  */
+  if (dst->sh_type != SHT_NOBITS)
+    {
+      ufile_ptr filesize = bfd_get_file_size (abfd);
+ 
+      if (filesize != 0 && dst->sh_size > filesize)
+	{
+	  _bfd_error_handler
+	    (_("warning: %pB has a corrupt section with a size (%"
+	       BFD_VMA_FMT "x) larger than the file size"),
+	     abfd, dst->sh_size);
+	  return FALSE;
+	}
+    }
+
   dst->sh_link = H_GET_32 (abfd, src->sh_link);
   dst->sh_info = H_GET_32 (abfd, src->sh_info);
   dst->sh_addralign = H_GET_WORD (abfd, src->sh_addralign);
   dst->sh_entsize = H_GET_WORD (abfd, src->sh_entsize);
   dst->bfd_section = NULL;
   dst->contents = NULL;
+  return TRUE;
 }
 
 /* Translate an ELF section header table entry in internal format into an
@@ -613,9 +632,9 @@ elf_object_p (bfd *abfd)
 
       /* Read the first section header at index 0, and convert to internal
 	 form.  */
-      if (bfd_bread (&x_shdr, sizeof x_shdr, abfd) != sizeof (x_shdr))
+      if (bfd_bread (&x_shdr, sizeof x_shdr, abfd) != sizeof (x_shdr)
+	  || !elf_swap_shdr_in (abfd, &x_shdr, &i_shdr))
 	goto got_no_match;
-      elf_swap_shdr_in (abfd, &x_shdr, &i_shdr);
 
       /* If the section count is zero, the actual count is in the first
 	 section header.  */
@@ -699,9 +718,9 @@ elf_object_p (bfd *abfd)
 	 to internal form.  */
       for (shindex = 1; shindex < i_ehdrp->e_shnum; shindex++)
 	{
-	  if (bfd_bread (&x_shdr, sizeof x_shdr, abfd) != sizeof (x_shdr))
+	  if (bfd_bread (&x_shdr, sizeof x_shdr, abfd) != sizeof (x_shdr)
+	      || !elf_swap_shdr_in (abfd, &x_shdr, i_shdrp + shindex))
 	    goto got_no_match;
-	  elf_swap_shdr_in (abfd, &x_shdr, i_shdrp + shindex);
 
 	  /* Sanity check sh_link and sh_info.  */
 	  if (i_shdrp[shindex].sh_link >= num_sec)