From: Alan Modra <amodra@gmail.com>
Date: Fri, 18 May 2018 07:39:45 +0000 (+0930)
Subject: PR23199, Invalid SHT_GROUP entry leads to group confusion
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=e3d435293f0dd45247e8057574389f322f5fe5a2;p=thirdparty%2Fbinutils-gdb.git

PR23199, Invalid SHT_GROUP entry leads to group confusion

This patch prevents elf_next_in_group list pointer confusion when
SHT_GROUP sections specify other SHT_GROUP sections in their list of
group sections.

	PR 23199
	* elf.c (setup_group): Formatting.  Check that SHT_GROUP entries
	don't point at other SHT_GROUP sections.  Set shdr corresponding
	to invalid entry, to NULL rather than section 0.  Identify
	SHT_GROUP section index when reporting an error.  Cope with NULL
	shdr pointer.

(cherry picked from commit 4bba0fb1c6d391a217c25e44398a7e1c7090155f)
---

diff --git a/bfd/ChangeLog b/bfd/ChangeLog
index c9b0ab57b30..f815f905588 100644
--- a/bfd/ChangeLog
+++ b/bfd/ChangeLog
@@ -1,3 +1,12 @@
+2018-05-18  Alan Modra  <amodra@gmail.com>
+
+	PR 23199
+	* elf.c (setup_group): Formatting.  Check that SHT_GROUP entries
+	don't point at other SHT_GROUP sections.  Set shdr corresponding
+	to invalid entry, to NULL rather than section 0.  Identify
+	SHT_GROUP section index when reporting an error.  Cope with NULL
+	shdr pointer.
+
 2018-05-15  Christophe Guillon  <christophe.guillon@st.com>
 
 	* coffcode.h (coff_bigobj_swap_aux_in): Make sure that all fields
diff --git a/bfd/elf.c b/bfd/elf.c
index e95c8a9c839..f657ec45670 100644
--- a/bfd/elf.c
+++ b/bfd/elf.c
@@ -627,7 +627,8 @@ setup_group (bfd *abfd, Elf_Internal_Shdr *hdr, asection *newsect)
 	      bfd_alloc2 (abfd, num_group, sizeof (Elf_Internal_Shdr *));
 	  if (elf_tdata (abfd)->group_sect_ptr == NULL)
 	    return FALSE;
-	  memset (elf_tdata (abfd)->group_sect_ptr, 0, num_group * sizeof (Elf_Internal_Shdr *));
+	  memset (elf_tdata (abfd)->group_sect_ptr, 0,
+		  num_group * sizeof (Elf_Internal_Shdr *));
 	  num_group = 0;
 
 	  for (i = 0; i < shnum; i++)
@@ -706,13 +707,16 @@ setup_group (bfd *abfd, Elf_Internal_Shdr *hdr, asection *newsect)
 			      |= SEC_LINK_ONCE | SEC_LINK_DUPLICATES_DISCARD;
 			  break;
 			}
-		      if (idx >= shnum)
+		      if (idx < shnum)
+			dest->shdr = elf_elfsections (abfd)[idx];
+		      if (idx >= shnum
+			  || dest->shdr->sh_type == SHT_GROUP)
 			{
 			  _bfd_error_handler
-			    (_("%B: invalid SHT_GROUP entry"), abfd);
-			  idx = 0;
+			    (_("%B: invalid entry in SHT_GROUP section [%u]"),
+			     abfd, i);
+			  dest->shdr = NULL;
 			}
-		      dest->shdr = elf_elfsections (abfd)[idx];
 		    }
 		}
 	    }
@@ -778,7 +782,8 @@ setup_group (bfd *abfd, Elf_Internal_Shdr *hdr, asection *newsect)
 		idx = (Elf_Internal_Group *) shdr->contents;
 		n_elt = shdr->sh_size / 4;
 		while (--n_elt != 0)
-		  if ((s = (++idx)->shdr->bfd_section) != NULL
+		  if ((++idx)->shdr != NULL
+		      && (s = idx->shdr->bfd_section) != NULL
 		      && elf_next_in_group (s) != NULL)
 		    break;
 		if (n_elt != 0)