binutils/SOURCES/binutils-CVE-2018-8945.patch
2021-10-06 15:46:35 +00:00

30 lines
1.3 KiB
Diff

diff -rup binutils.orig/bfd/elf-attrs.c binutils-2.30/bfd/elf-attrs.c
--- binutils.orig/bfd/elf-attrs.c 2018-05-17 14:14:04.341805666 +0100
+++ binutils-2.30/bfd/elf-attrs.c 2018-05-17 14:15:19.729952453 +0100
@@ -438,6 +438,14 @@ _bfd_elf_parse_attributes (bfd *abfd, El
/* PR 17512: file: 2844a11d. */
if (hdr->sh_size == 0)
return;
+ if (hdr->sh_size > bfd_get_file_size (abfd))
+ {
+ _bfd_error_handler (_("%pB: error: attribute section '%pA' too big: %#llx"),
+ abfd, hdr->bfd_section, (long long) hdr->sh_size);
+ bfd_set_error (bfd_error_invalid_operation);
+ return;
+ }
+
contents = (bfd_byte *) bfd_malloc (hdr->sh_size + 1);
if (!contents)
return;
diff -rup binutils.orig/bfd/elf.c binutils-2.30/bfd/elf.c
--- binutils.orig/bfd/elf.c 2018-05-17 14:14:04.326805836 +0100
+++ binutils-2.30/bfd/elf.c 2018-05-17 14:15:59.412503342 +0100
@@ -298,6 +298,7 @@ bfd_elf_get_str_section (bfd *abfd, unsi
/* Allocate and clear an extra byte at the end, to prevent crashes
in case the string table is not terminated. */
if (shstrtabsize + 1 <= 1
+ || shstrtabsize > bfd_get_file_size (abfd)
|| bfd_seek (abfd, offset, SEEK_SET) != 0
|| (shstrtab = (bfd_byte *) bfd_alloc (abfd, shstrtabsize + 1)) == NULL)
shstrtab = NULL;