From: Nick Clifton <nickc@redhat.com>
Date: Sun, 10 Sep 2017 09:26:33 +0000 (+0100)
Subject: Import fix from mainline that fixes buffer overrun errors when parsing corrupt DWARF... 
X-Git-Tag: binutils-2_29_1~11
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=4c730770f07e4b5da5ab0a7654056cc9532b967d;p=thirdparty%2Fbinutils-gdb.git

Import fix from mainline that fixes buffer overrun errors when parsing corrupt DWARF debug information string sections.

	PR 22047
	* dwarf2.c (read_section): If necessary add a terminating NUL byte
	to dwarf string sections.
---

diff --git a/bfd/ChangeLog b/bfd/ChangeLog
index 708a4bf8f76..ed97efc83fc 100644
--- a/bfd/ChangeLog
+++ b/bfd/ChangeLog
@@ -1,3 +1,11 @@
+2017-09-10  Nick Clifton  <nickc@redhat.com>
+
+	Import from mainline:
+
+	PR 22047
+	* dwarf2.c (read_section): If necessary add a terminating NUL byte
+	to dwarf string sections.
+
 2017-09-10  Alan Modra  <amodra@gmail.com>
 
 	* elf64-ppp.c (plt_stub_pad): Handle positive and negative
diff --git a/bfd/dwarf2.c b/bfd/dwarf2.c
index 877962783b3..3cb2c347c8b 100644
--- a/bfd/dwarf2.c
+++ b/bfd/dwarf2.c
@@ -566,6 +566,29 @@ read_section (bfd *           abfd,
 					  0, *section_size))
 	    return FALSE;
 	}
+
+      /* Paranoia - if we are reading in a string section, make sure that it
+        is NUL terminated.  This is to prevent string functions from running
+        off the end of the buffer.  Note - knowing the size of the buffer is
+        not enough as some functions, eg strchr, do not have a range limited
+        equivalent.
+
+        FIXME: We ought to use a flag in the dwarf_debug_sections[] table to
+        determine the nature of a debug section, rather than checking the
+        section name as we do here.  */
+      if (*section_size > 0
+         && (*section_buffer)[*section_size - 1] != 0
+         && (strstr (section_name, "_str") || strstr (section_name, "names")))
+       {
+         bfd_byte * new_buffer = malloc (*section_size + 1);
+
+         _bfd_error_handler (_("warning: dwarf string section '%s' is not NUL terminated"),
+                             section_name);
+         memcpy (new_buffer, *section_buffer, *section_size);
+         new_buffer[*section_size] = 0;
+         free (*section_buffer);
+         *section_buffer = new_buffer;
+       }
     }
 
   /* It is possible to get a bad value for the offset into the section