blob: 102d65f8a62efb65f75be8bb8e8202ac16bc65f2 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
|
From ef186fe54aa6d281a3ff8a9528417e5cc614c797 Mon Sep 17 00:00:00 2001
From: Alan Modra <amodra@gmail.com>
Date: Sat, 13 Aug 2022 15:32:47 +0930
Subject: [PATCH] PR29482 - strip: heap-buffer-overflow
PR 29482
* coffcode.h (coff_set_section_contents): Sanity check _LIB.
CVE: CVE-2022-38533
Upstream-Status: Backport [https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=ef186fe54aa6d281a3ff8a9528417e5cc614c797]
Signed-off-by: Florin Diaconescu <florin.diaconescu009@gmail.com>
---
bfd/coffcode.h | 7 +++++--
1 file changed, 5 insertions(+), 2 deletions(-)
diff --git a/bfd/coffcode.h b/bfd/coffcode.h
index dec2e9c6370..75c18d88602 100644
--- a/bfd/coffcode.h
+++ b/bfd/coffcode.h
@@ -4170,10 +4170,13 @@ coff_set_section_contents (bfd * abfd,
rec = (bfd_byte *) location;
recend = rec + count;
- while (rec < recend)
+ while (recend - rec >= 4)
{
+ size_t len = bfd_get_32 (abfd, rec);
+ if (len == 0 || len > (size_t) (recend - rec) / 4)
+ break;
+ rec += len * 4;
++section->lma;
- rec += bfd_get_32 (abfd, rec) * 4;
}
BFD_ASSERT (rec == recend);
|
