From d785b7d4b877ed465d04072e17ca19d0f47d840f Mon Sep 17 00:00:00 2001
From: Nick Clifton <nickc@redhat.com>
Date: Wed, 29 Nov 2017 12:40:43 +0000
Subject: [PATCH] Stop objdump from attempting to allocate a huge chunk of
memory when parsing relocs in a corrupt file.
PR 22508
* objdump.c (dump_relocs_in_section): Also check the section's
relocation count to make sure that it is reasonable before
attempting to allocate space for the relocs.
---
binutils/objdump.c | 11 ++++++++++-
diff --git a/binutils/objdump.c b/binutils/objdump.c
index 40b4acf..e7d91e8 100644
--- a/binutils/objdump.c
+++ b/binutils/objdump.c
@@ -3427,7 +3427,16 @@ dump_relocs_in_section (bfd *abfd,
}
if ((bfd_get_file_flags (abfd) & (BFD_IN_MEMORY | BFD_LINKER_CREATED)) == 0
- && (ufile_ptr) relsize > bfd_get_file_size (abfd))
+ && (((ufile_ptr) relsize > bfd_get_file_size (abfd))
+ /* Also check the section's reloc count since if this is negative
+ (or very large) the computation in bfd_get_reloc_upper_bound
+ may have resulted in returning a small, positive integer.
+ See PR 22508 for a reproducer.
+
+ Note - we check against file size rather than section size as
+ it is possible for there to be more relocs that apply to a
+ section than there are bytes in that section. */
+ || (section->reloc_count > bfd_get_file_size (abfd))))
{
printf (" (too many: 0x%x)\n", section->reloc_count);
bfd_set_error (bfd_error_file_truncated);
--
2.9.3