More fixes for illegal memory accesses triggered by running objdump on fuzzed binaries.

[deliverable/binutils-gdb.git] / bfd / mach-o.c

diff --git a/bfd/mach-o.c b/bfd/mach-o.c
index e136c2d3994052c9b2621e8bebd661bce29072a3..d44b94c7ed56288bd12f13ff62d18f0b535cfeae 100644 (file)
--- a/bfd/mach-o.c
+++ b/bfd/mach-o.c
@@ -390,7 +390,7 @@ bfd_mach_o_convert_section_name_to_bfd (bfd *abfd, const char *segname,
   if (xlat)
     {
       len = strlen (xlat->bfd_name);
-      res = bfd_alloc (abfd, len+1);
+      res = bfd_alloc (abfd, len + 1);
       if (res == NULL)
        return;
       memcpy (res, xlat->bfd_name, len+1);
@@ -1389,7 +1389,7 @@ bfd_mach_o_canonicalize_one_reloc (bfd *abfd,
       if (reloc.r_extern)
        {
          /* PR 17512: file: 8396-1185-0.004.  */
-         if (bfd_get_symcount (abfd) > 0 && num > bfd_get_symcount (abfd))
+         if (num >= bfd_mach_o_count_symbols (abfd))
            sym = bfd_und_section_ptr->symbol_ptr_ptr;
          else if (syms == NULL)
            sym = bfd_und_section_ptr->symbol_ptr_ptr;      
@@ -1457,6 +1457,10 @@ bfd_mach_o_canonicalize_relocs (bfd *abfd, unsigned long filepos,
   /* Allocate and read relocs.  */
   native_size = count * BFD_MACH_O_RELENT_SIZE;
 
+  /* PR 17512: file: 09477b57.  */
+  if (native_size < count)
+    return -1;
+
   native_relocs =
     (struct mach_o_reloc_info_external *) bfd_malloc (native_size);
   if (native_relocs == NULL)
@@ -1496,6 +1500,8 @@ bfd_mach_o_canonicalize_reloc (bfd *abfd, asection *asect,
 
   if (asect->relocation == NULL)
     {
+      if (asect->reloc_count * sizeof (arelent) < asect->reloc_count)
+       return -1;
       res = bfd_malloc (asect->reloc_count * sizeof (arelent));
       if (res == NULL)
         return -1;
@@ -1549,6 +1555,10 @@ bfd_mach_o_canonicalize_dynamic_reloc (bfd *abfd, arelent **rels,
 
   if (mdata->dyn_reloc_cache == NULL)
     {
+      if ((dysymtab->nextrel + dysymtab->nlocrel) * sizeof (arelent)
+         < (dysymtab->nextrel + dysymtab->nlocrel))
+       return -1;
+
       res = bfd_malloc ((dysymtab->nextrel + dysymtab->nlocrel)
                         * sizeof (arelent));
       if (res == NULL)
@@ -1863,11 +1873,10 @@ bfd_mach_o_write_symtab_content (bfd *abfd, bfd_mach_o_symtab_command *sym)
   mdata->filelen += sym->strsize;
 
   if (bfd_seek (abfd, sym->stroff, SEEK_SET) != 0)
-    return FALSE;
+    goto err;
 
   if (_bfd_stringtab_emit (abfd, strtab) != TRUE)
     goto err;
-  _bfd_stringtab_free (strtab);
 
   /* Pad string table.  */
   padlen = bfd_mach_o_pad4 (abfd, sym->strsize);
@@ -1880,6 +1889,7 @@ bfd_mach_o_write_symtab_content (bfd *abfd, bfd_mach_o_symtab_command *sym)
 
  err:
   _bfd_stringtab_free (strtab);
+  sym->strsize = 0;
   return FALSE;
 }
 
@@ -1997,6 +2007,8 @@ bfd_mach_o_build_dysymtab (bfd *abfd, bfd_mach_o_dysymtab_command *cmd)
       cmd->indirectsymoff = mdata->filelen;
       mdata->filelen += cmd->nindirectsyms * 4;
 
+      if (cmd->nindirectsyms * 4 < cmd->nindirectsyms)
+       return FALSE;
       cmd->indirect_syms = bfd_zalloc (abfd, cmd->nindirectsyms * 4);
       if (cmd->indirect_syms == NULL)
         return FALSE;
@@ -2392,8 +2404,8 @@ bfd_mach_o_mangle_sections (bfd *abfd, bfd_mach_o_data_struct *mdata)
     }
 
   mdata->nsects = nsect;
-  mdata->sections = bfd_alloc (abfd,
-                              mdata->nsects * sizeof (bfd_mach_o_section *));
+  mdata->sections = bfd_alloc2 (abfd,
+                               mdata->nsects, sizeof (bfd_mach_o_section *));
   if (mdata->sections == NULL)
     return FALSE;
 
@@ -3731,32 +3743,28 @@ bfd_mach_o_read_symtab_symbols (bfd *abfd)
     /* Return now if there are no symbols or if already loaded.  */
     return TRUE;
 
-  sym->symbols = bfd_alloc (abfd, sym->nsyms * sizeof (bfd_mach_o_asymbol));
-
+  sym->symbols = bfd_alloc2 (abfd, sym->nsyms, sizeof (bfd_mach_o_asymbol));
   if (sym->symbols == NULL)
     {
       (*_bfd_error_handler) (_("bfd_mach_o_read_symtab_symbols: unable to allocate memory for symbols"));
+      sym->nsyms = 0;
       return FALSE;
     }
 
   if (!bfd_mach_o_read_symtab_strtab (abfd))
-    {
-      bfd_release (abfd, sym->symbols);
-      sym->symbols = NULL;
-      return FALSE;
-    }
+    goto fail;
 
   for (i = 0; i < sym->nsyms; i++)
-    {
-      if (!bfd_mach_o_read_symtab_symbol (abfd, sym, &sym->symbols[i], i))
-       {
-         bfd_release (abfd, sym->symbols);
-         sym->symbols = NULL;
-         return FALSE;
-       }
-    }
+    if (!bfd_mach_o_read_symtab_symbol (abfd, sym, &sym->symbols[i], i))
+      goto fail;
 
   return TRUE;
+
+ fail:
+  bfd_release (abfd, sym->symbols);
+  sym->symbols = NULL;
+  sym->nsyms = 0;
+  return FALSE;
 }
 
 static const char *
@@ -3989,8 +3997,8 @@ bfd_mach_o_read_thread (bfd *abfd, bfd_mach_o_load_command *command)
     }
 
   /* Allocate threads.  */
-  cmd->flavours = bfd_alloc
-    (abfd, nflavours * sizeof (bfd_mach_o_thread_flavour));
+  cmd->flavours = bfd_alloc2
+    (abfd, nflavours, sizeof (bfd_mach_o_thread_flavour));
   if (cmd->flavours == NULL)
     return FALSE;
   cmd->nflavours = nflavours;
@@ -4113,7 +4121,7 @@ bfd_mach_o_read_dysymtab (bfd *abfd, bfd_mach_o_load_command *command)
       unsigned int module_len = wide ? 56 : 52;
 
       cmd->dylib_module =
-        bfd_alloc (abfd, cmd->nmodtab * sizeof (bfd_mach_o_dylib_module));
+        bfd_alloc2 (abfd, cmd->nmodtab, sizeof (bfd_mach_o_dylib_module));
       if (cmd->dylib_module == NULL)
         return FALSE;
 
@@ -4159,10 +4167,10 @@ bfd_mach_o_read_dysymtab (bfd *abfd, bfd_mach_o_load_command *command)
 
   if (cmd->ntoc != 0)
     {
-      unsigned int i;
+      unsigned long i;
 
-      cmd->dylib_toc = bfd_alloc
-        (abfd, cmd->ntoc * sizeof (bfd_mach_o_dylib_table_of_content));
+      cmd->dylib_toc = bfd_alloc2
+        (abfd, cmd->ntoc, sizeof (bfd_mach_o_dylib_table_of_content));
       if (cmd->dylib_toc == NULL)
         return FALSE;
 
@@ -4186,8 +4194,8 @@ bfd_mach_o_read_dysymtab (bfd *abfd, bfd_mach_o_load_command *command)
     {
       unsigned int i;
 
-      cmd->indirect_syms = bfd_alloc
-        (abfd, cmd->nindirectsyms * sizeof (unsigned int));
+      cmd->indirect_syms = bfd_alloc2
+        (abfd, cmd->nindirectsyms, sizeof (unsigned int));
       if (cmd->indirect_syms == NULL)
         return FALSE;
 
@@ -4211,8 +4219,8 @@ bfd_mach_o_read_dysymtab (bfd *abfd, bfd_mach_o_load_command *command)
       unsigned long v;
       unsigned int i;
 
-      cmd->ext_refs = bfd_alloc
-        (abfd, cmd->nextrefsyms * sizeof (bfd_mach_o_dylib_reference));
+      cmd->ext_refs = bfd_alloc2
+        (abfd, cmd->nextrefsyms, sizeof (bfd_mach_o_dylib_reference));
       if (cmd->ext_refs == NULL)
         return FALSE;
 
@@ -4743,8 +4751,8 @@ bfd_mach_o_flatten_sections (bfd *abfd)
     }
 
   /* Allocate sections array.  */
-  mdata->sections = bfd_alloc (abfd,
-                              mdata->nsects * sizeof (bfd_mach_o_section *));
+  mdata->sections = bfd_alloc2 (abfd,
+                               mdata->nsects, sizeof (bfd_mach_o_section *));
 
   /* Fill the array.  */
   csect = 0;
@@ -4916,7 +4924,8 @@ bfd_mach_o_scan (bfd *abfd,
 
       mdata->first_command = NULL;
       mdata->last_command = NULL;
-      cmd = bfd_alloc (abfd, header->ncmds * sizeof (bfd_mach_o_load_command));
+
+      cmd = bfd_alloc2 (abfd, header->ncmds, sizeof (bfd_mach_o_load_command));
       if (cmd == NULL)
        return FALSE;
 
@@ -5152,7 +5161,7 @@ bfd_mach_o_archive_p (bfd *abfd)
     goto error;
 
   adata->archentries =
-    bfd_alloc (abfd, adata->nfat_arch * sizeof (mach_o_fat_archentry));
+    bfd_alloc2 (abfd, adata->nfat_arch, sizeof (mach_o_fat_archentry));
   if (adata->archentries == NULL)
     goto error;
 
@@ -5169,6 +5178,7 @@ bfd_mach_o_archive_p (bfd *abfd)
     }
 
   abfd->tdata.mach_o_fat_data = adata;
+
   return abfd->xvec;
 
  error: