From d785b7d4b877ed465d04072e17ca19d0f47d840f Mon Sep 17 00:00:00 2001 From: Nick Clifton <nickc@redhat.com> Date: Wed, 29 Nov 2017 12:40:43 +0000 Subject: [PATCH] Stop objdump from attempting to allocate a huge chunk of memory when parsing relocs in a corrupt file. PR 22508 * objdump.c (dump_relocs_in_section): Also check the section's relocation count to make sure that it is reasonable before attempting to allocate space for the relocs. --- binutils/objdump.c | 11 ++++++++++- diff --git a/binutils/objdump.c b/binutils/objdump.c index 40b4acf..e7d91e8 100644 --- a/binutils/objdump.c +++ b/binutils/objdump.c @@ -3427,7 +3427,16 @@ dump_relocs_in_section (bfd *abfd, } if ((bfd_get_file_flags (abfd) & (BFD_IN_MEMORY | BFD_LINKER_CREATED)) == 0 - && (ufile_ptr) relsize > bfd_get_file_size (abfd)) + && (((ufile_ptr) relsize > bfd_get_file_size (abfd)) + /* Also check the section's reloc count since if this is negative + (or very large) the computation in bfd_get_reloc_upper_bound + may have resulted in returning a small, positive integer. + See PR 22508 for a reproducer. + + Note - we check against file size rather than section size as + it is possible for there to be more relocs that apply to a + section than there are bytes in that section. */ + || (section->reloc_count > bfd_get_file_size (abfd)))) { printf (" (too many: 0x%x)\n", section->reloc_count); bfd_set_error (bfd_error_file_truncated); -- 2.9.3