packages/binutils
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
binutils/binutils-CVE-2018-17360.patch
overweight 5244593cc2 Package init
2019-09-30 10:32:27 -04:00

53 lines
2.1 KiB
Diff
Raw Blame History

From cf93e9c2cf8f8b2566f8fc86e961592b51b5980d Mon Sep 17 00:00:00 2001
From: Alan Modra <amodra@gmail.com>
Date: Thu, 20 Sep 2018 18:23:17 +0930
Subject: [PATCH 1/1] PR23685, buffer overflow
PR 23685
* peXXigen.c (pe_print_edata): Correct export address table
overflow checks. Check dataoff against section size too.
---
diff -urNp a/bfd/ChangeLog b/bfd/ChangeLog
--- a/bfd/ChangeLog 2019-06-05 23:46:11.460000000 +0800
+++ b/bfd/ChangeLog 2019-06-05 23:59:36.030000000 +0800
@@ -1,4 +1,9 @@
2018-09-20 Alan Modra <amodra@gmail.com>
+ PR 23685
+ * peXXigen.c (pe_print_edata): Correct export address table
+ overflow checks. Check dataoff against section size too.
+
+2018-09-20 Alan Modra <amodra@gmail.com>
PR 23686
* dwarf2.c (read_section): Error when attempting to malloc
"(bfd_size_type) -1".
diff -urNp a/bfd/peXXigen.c b/bfd/peXXigen.c
--- a/bfd/peXXigen.c 2019-06-05 23:46:11.460000000 +0800
+++ b/bfd/peXXigen.c 2019-06-06 00:03:40.100000000 +0800
@@ -1661,7 +1661,8 @@ pe_print_edata (bfd * abfd, void * vfile
dataoff = addr - section->vma;
datasize = extra->DataDirectory[PE_EXPORT_TABLE].Size;
- if (datasize > section->size - dataoff)
+ if (dataoff > section->size
+ || datasize > section->size - dataoff)
{
fprintf (file,
_("\nThere is an export table in %s, but it does not fit into that section\n"),
@@ -1778,11 +1779,11 @@ pe_print_edata (bfd * abfd, void * vfile
edt.base);
/* PR 17512: Handle corrupt PE binaries. */
- if (edt.eat_addr + (edt.num_functions * 4) - adj >= datasize
+ /* PR 17512 file: 140-165018-0.004. */
+ if (edt.eat_addr - adj >= datasize
/* PR 17512: file: 092b1829 */
- || (edt.num_functions * 4) < edt.num_functions
- /* PR 17512 file: 140-165018-0.004. */
- || data + edt.eat_addr - adj < data)
+ || (edt.num_functions + 1) * 4 < edt.num_functions
+ || edt.eat_addr - adj + (edt.num_functions + 1) * 4 > datasize)
fprintf (file, _("\tInvalid Export Address Table rva (0x%lx) or entry count (0x%lx)\n"),
(long) edt.eat_addr,
(long) edt.num_functions);
Reference in New Issue View Git Blame Copy Permalink