From beab453223769279cc1cef68a1622ab8978641f7 Mon Sep 17 00:00:00 2001 From: Nick Clifton <nickc@redhat.com> Date: Fri, 30 Nov 2018 11:43:12 +0000 Subject: [PATCH] Remove an abort in the bfd library and add a check for an integer overflow when mapping sections to segments. PR 23932 * elf.c (IS_CONTAINED_BY_LMA): Add a check for a negative section size. (rewrite_elf_program_header): If no sections are mapped into a segment return an error. --- bfd/elf.c | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/bfd/elf.c b/bfd/elf.c index 604971d..79a76be 100644 --- a/bfd/elf.c +++ b/bfd/elf.c @@ -6644,6 +6644,7 @@ rewrite_elf_program_header (bfd *ibfd, bfd *obfd) the given segment. LMA addresses are compared. */ #define IS_CONTAINED_BY_LMA(section, segment, base) \ (section->lma >= base \ + && (section->lma + SECTION_SIZE (section, segment) >= section->lma) \ && (section->lma + SECTION_SIZE (section, segment) \ <= SEGMENT_END (segment, base))) @@ -7167,7 +7168,15 @@ rewrite_elf_program_header (bfd *ibfd, bfd *obfd) suggested_lma = output_section; } - BFD_ASSERT (map->count > 0); + /* PR 23932. A corrupt input file may contain sections that cannot + be assigned to any segment - because for example they have a + negative size - or segments that do not contain any sections. */ + if (map->count == 0) + { + bfd_set_error (bfd_error_bad_value); + free (sections); + return FALSE; + } /* Add the current segment to the list of built segments. */ *pointer_to_map = map; -- 2.9.3