Attachment #225233 for bug #255368

View | Details | Raw Unified | Return to bug 255368
Collapse All | Expand All

Lines 2-8 Link Here

(-)b/devel/binutils/Makefile (-1 / +1 lines)
2		2
3	PORTNAME= binutils	3	PORTNAME= binutils
4	PORTVERSION= 2.33.1	4	PORTVERSION= 2.33.1
5	PORTREVISION= 4	5	PORTREVISION= 5
6	PORTEPOCH?= 1	6	PORTEPOCH?= 1
7	CATEGORIES?= devel	7	CATEGORIES?= devel
8	MASTER_SITES= SOURCEWARE/binutils/releases	8	MASTER_SITES= SOURCEWARE/binutils/releases




From a782e724be101be550bb47b4e6a2a0c92475c494 Mon Sep 17 00:00:00 2001
From: Nick Clifton <nickc@redhat.com>
Date: Thu, 26 Nov 2020 17:08:33 +0000
Subject: [PATCH] Prevent a memory allocation failure when parsing corrupt
 DWARF debug sections.

	PR 26946
	* dwarf2.c (read_section): Check for debug sections with excessive
	sizes.
---
 bfd/dwarf2.c | 25 +++++++++++++++++++------
 1 file changed, 19 insertions(+), 6 deletions(-)

diff --git bfd/dwarf2.c bfd/dwarf2.c
index ed6dcd48c7f..348e69cb063 100644
--- bfd/dwarf2.c
+++ bfd/dwarf2.c
@@ -527,22 +527,24 @@ read_section (bfd *	      abfd,
 	      bfd_byte **     section_buffer,
 	      bfd_size_type * section_size)
 {
-  asection *msec;
   const char *section_name = sec->uncompressed_name;
   bfd_byte *contents = *section_buffer;
-  bfd_size_type amt;
 
   /* The section may have already been read.  */
   if (contents == NULL)
     {
+      bfd_size_type amt;
+      asection *msec;
+      ufile_ptr filesize;
+
       msec = bfd_get_section_by_name (abfd, section_name);
-      if (! msec)
+      if (msec == NULL)
 	{
 	  section_name = sec->compressed_name;
 	  if (section_name != NULL)
 	    msec = bfd_get_section_by_name (abfd, section_name);
 	}
-      if (! msec)
+      if (msec == NULL)
 	{
 	  _bfd_error_handler (_("DWARF error: can't find %s section."),
 			      sec->uncompressed_name);
@@ -550,12 +552,23 @@ read_section (bfd *	      abfd,
 	  return FALSE;
 	}
 
-      *section_size = msec->rawsize ? msec->rawsize : msec->size;
+      amt = bfd_get_section_limit_octets (abfd, msec);
+      filesize = bfd_get_file_size (abfd);
+      if (amt >= filesize)
+	{
+	  /* PR 26946 */
+	  _bfd_error_handler (_("DWARF error: section %s is larger than its filesize! (0x%lx vs 0x%lx)"),
+			      section_name, (long) amt, (long) filesize);
+	  bfd_set_error (bfd_error_bad_value);
+	  return FALSE;
+	}
+      *section_size = amt;
       /* Paranoia - alloc one extra so that we can make sure a string
 	 section is NUL terminated.  */
-      amt = *section_size + 1;
+      amt += 1;
       if (amt == 0)
 	{
+	  /* Paranoia - this should never happen.  */
 	  bfd_set_error (bfd_error_no_memory);
 	  return FALSE;
 	}
-- 
2.31.1


Return to bug 255368

Added Link Here

(-)b/devel/binutils/files/patch-CVE-2021-3487 (-1 / +75 lines)
0	-	1	From a782e724be101be550bb47b4e6a2a0c92475c494 Mon Sep 17 00:00:00 2001
		2	From: Nick Clifton <nickc@redhat.com>
		3	Date: Thu, 26 Nov 2020 17:08:33 +0000
		4	Subject: [PATCH] Prevent a memory allocation failure when parsing corrupt
		5	DWARF debug sections.
		6
		7	PR 26946
		8	* dwarf2.c (read_section): Check for debug sections with excessive
		9	sizes.
		10	---
		11	bfd/dwarf2.c \| 25 +++++++++++++++++++------
		12	1 file changed, 19 insertions(+), 6 deletions(-)
		13
		14	diff --git bfd/dwarf2.c bfd/dwarf2.c
		15	index ed6dcd48c7f..348e69cb063 100644
		16	--- bfd/dwarf2.c
		17	+++ bfd/dwarf2.c
		18	@@ -527,22 +527,24 @@ read_section (bfd * abfd,
		19	bfd_byte ** section_buffer,
		20	bfd_size_type * section_size)
		21	{
		22	- asection *msec;
		23	const char *section_name = sec->uncompressed_name;
		24	bfd_byte contents = section_buffer;
		25	- bfd_size_type amt;
		26
		27	/* The section may have already been read. */
		28	if (contents == NULL)
		29	{
		30	+ bfd_size_type amt;
		31	+ asection *msec;
		32	+ ufile_ptr filesize;
		33	+
		34	msec = bfd_get_section_by_name (abfd, section_name);
		35	- if (! msec)
		36	+ if (msec == NULL)
		37	{
		38	section_name = sec->compressed_name;
		39	if (section_name != NULL)
		40	msec = bfd_get_section_by_name (abfd, section_name);
		41	}
		42	- if (! msec)
		43	+ if (msec == NULL)
		44	{
		45	_bfd_error_handler (_("DWARF error: can't find %s section."),
		46	sec->uncompressed_name);
		47	@@ -550,12 +552,23 @@ read_section (bfd * abfd,
		48	return FALSE;
		49	}
		50
		51	- *section_size = msec->rawsize ? msec->rawsize : msec->size;
		52	+ amt = bfd_get_section_limit_octets (abfd, msec);
		53	+ filesize = bfd_get_file_size (abfd);
		54	+ if (amt >= filesize)
		55	+ {
		56	+ /* PR 26946 */
		57	+ _bfd_error_handler (_("DWARF error: section %s is larger than its filesize! (0x%lx vs 0x%lx)"),
		58	+ section_name, (long) amt, (long) filesize);
		59	+ bfd_set_error (bfd_error_bad_value);
		60	+ return FALSE;
		61	+ }
		62	+ *section_size = amt;
		63	/* Paranoia - alloc one extra so that we can make sure a string
		64	section is NUL terminated. */
		65	- amt = *section_size + 1;
66	+ amt += 1;
67	if (amt == 0)
68	{
69	+ /* Paranoia - this should never happen. */
70	bfd_set_error (bfd_error_no_memory);
71	return FALSE;
72	}
73	--
74	2.31.1
75