summaryrefslogtreecommitdiffstats
path: root/meta/recipes-devtools/binutils/binutils/CVE-2019-12972.patch
blob: 07d1d654674692bf07c1069e756044e70fe79197 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
From 30bcc01478433a1cb05b36dc5c4beef7d2c89b5b Mon Sep 17 00:00:00 2001
From: Alan Modra <amodra@gmail.com>
Date: Fri, 21 Jun 2019 11:51:38 +0930
Subject: [PATCH] PR24689, string table corruption

The testcase in the PR had a e_shstrndx section of type SHT_GROUP.
hdr->contents were initialized by setup_group rather than being read
from the file, thus last byte was not zero and string dereference ran
off the end of the buffer.

	PR 24689
	* elfcode.h (elf_object_p): Check type of e_shstrndx section.

Upstream-Status: Backport
CVE: CVE-2019-12972
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
---
 bfd/ChangeLog | 5 +++++
 bfd/elfcode.h | 3 ++-
 2 files changed, 7 insertions(+), 1 deletion(-)

diff --git a/bfd/ChangeLog b/bfd/ChangeLog
index 91f09e6346..e66fb40a2c 100644
--- a/bfd/ChangeLog
+++ b/bfd/ChangeLog
@@ -1,3 +1,8 @@
+2019-06-21  Alan Modra  <amodra@gmail.com>
+
+	PR 24689
+	* elfcode.h (elf_object_p): Check type of e_shstrndx section.
+
 2019-02-20  Alan Modra  <amodra@gmail.com>
 
 	PR 24236
diff --git a/bfd/elfcode.h b/bfd/elfcode.h
index ec5ea766de..a35a629087 100644
--- a/bfd/elfcode.h
+++ b/bfd/elfcode.h
@@ -755,7 +755,8 @@ elf_object_p (bfd *abfd)
   /* A further sanity check.  */
   if (i_ehdrp->e_shnum != 0)
     {
-      if (i_ehdrp->e_shstrndx >= elf_numsections (abfd))
+      if (i_ehdrp->e_shstrndx >= elf_numsections (abfd)
+	  || i_shdrp[i_ehdrp->e_shstrndx].sh_type != SHT_STRTAB)
 	{
 	  /* PR 2257:
 	     We used to just goto got_wrong_format_error here
-- 
2.20.1