summaryrefslogblamecommitdiff
path: root/system/binutils/CVE-2018-19931.patch
blob: 99a9797e37d610129c54bf140e0fd23ad82cfbc6 (plain) (tree)






























                                                                             
From 5f60af5d24d181371d67534fa273dd221df20c07 Mon Sep 17 00:00:00 2001
From: Nick Clifton <nickc@redhat.com>
Date: Fri, 30 Nov 2018 11:45:33 +0000
Subject: [PATCH] Fix a memory exhaustion bug when attempting to allocate room
 for an impossible number of program headers.

	* elfcode.h (elf_object_p): Check for corrupt input files with
	more program headers than can actually fit in the file.
---
 bfd/elfcode.h | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/bfd/elfcode.h b/bfd/elfcode.h
index f224c8b..16ed8e5 100644
--- a/bfd/elfcode.h
+++ b/bfd/elfcode.h
@@ -784,6 +784,11 @@ elf_object_p (bfd *abfd)
       if (i_ehdrp->e_phnum > ((bfd_size_type) -1) / sizeof (*i_phdr))
 	goto got_wrong_format_error;
 #endif
+      /* Check for a corrupt input file with an impossibly large number
+	 of program headers.  */
+      if (bfd_get_file_size (abfd) > 0
+	  && i_ehdrp->e_phnum > bfd_get_file_size (abfd))
+	goto got_no_match;
       amt = (bfd_size_type) i_ehdrp->e_phnum * sizeof (*i_phdr);
       elf_tdata (abfd)->phdr = (Elf_Internal_Phdr *) bfd_alloc (abfd, amt);
       if (elf_tdata (abfd)->phdr == NULL)
-- 
2.9.3