forked from Imagelibrary/binutils-gdb
Re: PR31692, objdump fails .debug_info size check
The fuzzers found a hole. bfd_section_size_insane doesn't check !SEC_HAS_CONTENTS sections against file size for obvious reasons, which allows fuzzed debug sections to be stupidly large. Real debug sections of course always have contents. PR 31692 * objdump.c (load_specific_debug_section): Don't allow sections without contents.
This commit is contained in:
Alan Modra
@@ -4307,41 +4307,45 @@ load_specific_debug_section (enum dwarf_section_display_enum debug,
|
||||
return false;
|
||||
}
|
||||
|
||||
section->start = contents = xmalloc (alloced);
|
||||
/* Ensure any string section has a terminating NUL. */
|
||||
section->start[section->size] = 0;
|
||||
|
||||
if ((abfd->flags & (EXEC_P | DYNAMIC)) == 0
|
||||
&& debug_displays [debug].relocate)
|
||||
ret = false;
|
||||
if ((sec->flags & SEC_HAS_CONTENTS) != 0)
|
||||
{
|
||||
ret = bfd_simple_get_relocated_section_contents (abfd,
|
||||
sec,
|
||||
section->start,
|
||||
syms) != NULL;
|
||||
if (ret)
|
||||
section->start = contents = xmalloc (alloced);
|
||||
/* Ensure any string section has a terminating NUL. */
|
||||
section->start[section->size] = 0;
|
||||
|
||||
if ((abfd->flags & (EXEC_P | DYNAMIC)) == 0
|
||||
&& debug_displays [debug].relocate)
|
||||
{
|
||||
long reloc_size = bfd_get_reloc_upper_bound (abfd, sec);
|
||||
|
||||
if (reloc_size > 0)
|
||||
ret = bfd_simple_get_relocated_section_contents (abfd,
|
||||
sec,
|
||||
section->start,
|
||||
syms) != NULL;
|
||||
if (ret)
|
||||
{
|
||||
long reloc_count;
|
||||
arelent **relocs;
|
||||
long reloc_size = bfd_get_reloc_upper_bound (abfd, sec);
|
||||
|
||||
relocs = (arelent **) xmalloc (reloc_size);
|
||||
|
||||
reloc_count = bfd_canonicalize_reloc (abfd, sec, relocs, syms);
|
||||
if (reloc_count <= 0)
|
||||
free (relocs);
|
||||
else
|
||||
if (reloc_size > 0)
|
||||
{
|
||||
section->reloc_info = relocs;
|
||||
section->num_relocs = reloc_count;
|
||||
long reloc_count;
|
||||
arelent **relocs;
|
||||
|
||||
relocs = (arelent **) xmalloc (reloc_size);
|
||||
|
||||
reloc_count = bfd_canonicalize_reloc (abfd, sec, relocs, syms);
|
||||
if (reloc_count <= 0)
|
||||
free (relocs);
|
||||
else
|
||||
{
|
||||
section->reloc_info = relocs;
|
||||
section->num_relocs = reloc_count;
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
else
|
||||
ret = bfd_get_full_section_contents (abfd, sec, &contents);
|
||||
}
|
||||
else
|
||||
ret = bfd_get_full_section_contents (abfd, sec, &contents);
|
||||
|
||||
if (!ret)
|
||||
{
|
||||
|
||||
Reference in New Issue
Block a user