diff options
Diffstat (limited to 'nixpkgs/pkgs/development/tools/misc/binutils/CVE-2021-3487.patch')
-rw-r--r-- | nixpkgs/pkgs/development/tools/misc/binutils/CVE-2021-3487.patch | 73 |
1 files changed, 73 insertions, 0 deletions
diff --git a/nixpkgs/pkgs/development/tools/misc/binutils/CVE-2021-3487.patch b/nixpkgs/pkgs/development/tools/misc/binutils/CVE-2021-3487.patch new file mode 100644 index 000000000000..004271bd45ab --- /dev/null +++ b/nixpkgs/pkgs/development/tools/misc/binutils/CVE-2021-3487.patch @@ -0,0 +1,73 @@ +From: Nick Clifton <nickc@redhat.com> +Date: Thu, 26 Nov 2020 17:08:33 +0000 (+0000) +Subject: Prevent a memory allocation failure when parsing corrupt DWARF debug sections. +X-Git-Tag: binutils-2_36~485 +X-Git-Url: https://sourceware.org/git/?p=binutils-gdb.git;a=commitdiff_plain;h=647cebce12a6b0a26960220caff96ff38978cf24;hp=239ca5e497dda2c151009d664d500086a5c2173a + +Prevent a memory allocation failure when parsing corrupt DWARF debug sections. + + PR 26946 + * dwarf2.c (read_section): Check for debug sections with excessive + sizes. +--- + +diff --git a/bfd/dwarf2.c b/bfd/dwarf2.c +index 977bf43a6a1..8bbfc81d3e7 100644 +--- a/bfd/dwarf2.c ++++ b/bfd/dwarf2.c +@@ -531,22 +531,24 @@ read_section (bfd * abfd, + bfd_byte ** section_buffer, + bfd_size_type * section_size) + { +- asection *msec; + const char *section_name = sec->uncompressed_name; + bfd_byte *contents = *section_buffer; +- bfd_size_type amt; + + /* The section may have already been read. */ + if (contents == NULL) + { ++ bfd_size_type amt; ++ asection *msec; ++ ufile_ptr filesize; ++ + msec = bfd_get_section_by_name (abfd, section_name); +- if (! msec) ++ if (msec == NULL) + { + section_name = sec->compressed_name; + if (section_name != NULL) + msec = bfd_get_section_by_name (abfd, section_name); + } +- if (! msec) ++ if (msec == NULL) + { + _bfd_error_handler (_("DWARF error: can't find %s section."), + sec->uncompressed_name); +@@ -554,12 +556,23 @@ read_section (bfd * abfd, + return FALSE; + } + +- *section_size = msec->rawsize ? msec->rawsize : msec->size; ++ amt = bfd_get_section_limit_octets (abfd, msec); ++ filesize = bfd_get_file_size (abfd); ++ if (amt >= filesize) ++ { ++ /* PR 26946 */ ++ _bfd_error_handler (_("DWARF error: section %s is larger than its filesize! (0x%lx vs 0x%lx)"), ++ section_name, (long) amt, (long) filesize); ++ bfd_set_error (bfd_error_bad_value); ++ return FALSE; ++ } ++ *section_size = amt; + /* Paranoia - alloc one extra so that we can make sure a string + section is NUL terminated. */ +- amt = *section_size + 1; ++ amt += 1; + if (amt == 0) + { ++ /* Paranoia - this should never happen. */ + bfd_set_error (bfd_error_no_memory); + return FALSE; + } + |