diff options
Diffstat (limited to 'system/binutils/CVE-2018-19932.patch')
-rw-r--r-- | system/binutils/CVE-2018-19932.patch | 47 |
1 files changed, 47 insertions, 0 deletions
diff --git a/system/binutils/CVE-2018-19932.patch b/system/binutils/CVE-2018-19932.patch new file mode 100644 index 000000000..383aae70f --- /dev/null +++ b/system/binutils/CVE-2018-19932.patch @@ -0,0 +1,47 @@ +From beab453223769279cc1cef68a1622ab8978641f7 Mon Sep 17 00:00:00 2001 +From: Nick Clifton <nickc@redhat.com> +Date: Fri, 30 Nov 2018 11:43:12 +0000 +Subject: [PATCH] Remove an abort in the bfd library and add a check for an + integer overflow when mapping sections to segments. + + PR 23932 + * elf.c (IS_CONTAINED_BY_LMA): Add a check for a negative section + size. + (rewrite_elf_program_header): If no sections are mapped into a + segment return an error. +--- + bfd/elf.c | 11 ++++++++++- + 1 file changed, 10 insertions(+), 1 deletion(-) + +diff --git a/bfd/elf.c b/bfd/elf.c +index 604971d..79a76be 100644 +--- a/bfd/elf.c ++++ b/bfd/elf.c +@@ -6644,6 +6644,7 @@ rewrite_elf_program_header (bfd *ibfd, bfd *obfd) + the given segment. LMA addresses are compared. */ + #define IS_CONTAINED_BY_LMA(section, segment, base) \ + (section->lma >= base \ ++ && (section->lma + SECTION_SIZE (section, segment) >= section->lma) \ + && (section->lma + SECTION_SIZE (section, segment) \ + <= SEGMENT_END (segment, base))) + +@@ -7167,7 +7168,15 @@ rewrite_elf_program_header (bfd *ibfd, bfd *obfd) + suggested_lma = output_section; + } + +- BFD_ASSERT (map->count > 0); ++ /* PR 23932. A corrupt input file may contain sections that cannot ++ be assigned to any segment - because for example they have a ++ negative size - or segments that do not contain any sections. */ ++ if (map->count == 0) ++ { ++ bfd_set_error (bfd_error_bad_value); ++ free (sections); ++ return FALSE; ++ } + + /* Add the current segment to the list of built segments. */ + *pointer_to_map = map; +-- +2.9.3 + |