From cf93e9c2cf8f8b2566f8fc86e961592b51b5980d Mon Sep 17 00:00:00 2001 From: Alan Modra Date: Thu, 20 Sep 2018 18:23:17 +0930 Subject: [PATCH 1/1] PR23685, buffer overflow PR 23685 * peXXigen.c (pe_print_edata): Correct export address table overflow checks. Check dataoff against section size too. --- diff -urNp a/bfd/ChangeLog b/bfd/ChangeLog --- a/bfd/ChangeLog 2019-06-05 23:46:11.460000000 +0800 +++ b/bfd/ChangeLog 2019-06-05 23:59:36.030000000 +0800 @@ -1,4 +1,9 @@ 2018-09-20 Alan Modra + PR 23685 + * peXXigen.c (pe_print_edata): Correct export address table + overflow checks. Check dataoff against section size too. + +2018-09-20 Alan Modra PR 23686 * dwarf2.c (read_section): Error when attempting to malloc "(bfd_size_type) -1". diff -urNp a/bfd/peXXigen.c b/bfd/peXXigen.c --- a/bfd/peXXigen.c 2019-06-05 23:46:11.460000000 +0800 +++ b/bfd/peXXigen.c 2019-06-06 00:03:40.100000000 +0800 @@ -1661,7 +1661,8 @@ pe_print_edata (bfd * abfd, void * vfile dataoff = addr - section->vma; datasize = extra->DataDirectory[PE_EXPORT_TABLE].Size; - if (datasize > section->size - dataoff) + if (dataoff > section->size + || datasize > section->size - dataoff) { fprintf (file, _("\nThere is an export table in %s, but it does not fit into that section\n"), @@ -1778,11 +1779,11 @@ pe_print_edata (bfd * abfd, void * vfile edt.base); /* PR 17512: Handle corrupt PE binaries. */ - if (edt.eat_addr + (edt.num_functions * 4) - adj >= datasize + /* PR 17512 file: 140-165018-0.004. */ + if (edt.eat_addr - adj >= datasize /* PR 17512: file: 092b1829 */ - || (edt.num_functions * 4) < edt.num_functions - /* PR 17512 file: 140-165018-0.004. */ - || data + edt.eat_addr - adj < data) + || (edt.num_functions + 1) * 4 < edt.num_functions + || edt.eat_addr - adj + (edt.num_functions + 1) * 4 > datasize) fprintf (file, _("\tInvalid Export Address Table rva (0x%lx) or entry count (0x%lx)\n"), (long) edt.eat_addr, (long) edt.num_functions);