X-Git-Url: http://drtracing.org/?a=blobdiff_plain;f=bfd%2FpeXXigen.c;h=c92c1eaf5c0746b0ef48e3ce378224abec581c2f;hb=c88960d081f0b37ec03c66a13115e2a68e40d1ad;hp=c7d606793f111a3f8f5094f831bf13d843f0c6d4;hpb=bf67003b4567600ed3022a439207ac8f26454f91;p=deliverable%2Fbinutils-gdb.git diff --git a/bfd/peXXigen.c b/bfd/peXXigen.c index c7d606793f..c92c1eaf5c 100644 --- a/bfd/peXXigen.c +++ b/bfd/peXXigen.c @@ -1,5 +1,5 @@ /* Support for the generic parts of PE/PEI; the common executable parts. - Copyright (C) 1995-2014 Free Software Foundation, Inc. + Copyright (C) 1995-2016 Free Software Foundation, Inc. Written by Cygnus Solutions. This file is part of BFD, the Binary File Descriptor library. @@ -62,9 +62,13 @@ #include "libbfd.h" #include "coff/internal.h" #include "bfdver.h" +#include "libiberty.h" #ifdef HAVE_WCHAR_H #include #endif +#ifdef HAVE_WCTYPE_H +#include +#endif /* NOTE: it's strange to be including an architecture specific header in what's supposed to be general (to PE/PEI) code. However, that's @@ -116,7 +120,7 @@ _bfd_XXi_swap_sym_in (bfd * abfd, void * ext1, void * in1) memcpy (in->_n._n_name, ext->e.e_name, SYMNMLEN); in->n_value = H_GET_32 (abfd, ext->e_value); - in->n_scnum = H_GET_16 (abfd, ext->e_scnum); + in->n_scnum = (short) H_GET_16 (abfd, ext->e_scnum); if (sizeof (ext->e_type) == 2) in->n_type = H_GET_16 (abfd, ext->e_type); @@ -149,8 +153,13 @@ _bfd_XXi_swap_sym_in (bfd * abfd, void * ext1, void * in1) name = _bfd_coff_internal_syment_name (abfd, in, namebuf); if (name == NULL) - /* FIXME: Return error. */ - abort (); + { + _bfd_error_handler (_("%B: unable to find name for empty section"), + abfd); + bfd_set_error (bfd_error_invalid_target); + return; + } + sec = bfd_get_section_by_name (abfd, name); if (sec != NULL) in->n_scnum = sec->target_index; @@ -170,15 +179,22 @@ _bfd_XXi_swap_sym_in (bfd * abfd, void * ext1, void * in1) { name = (const char *) bfd_alloc (abfd, strlen (namebuf) + 1); if (name == NULL) - /* FIXME: Return error. */ - abort (); + { + _bfd_error_handler (_("%B: out of memory creating name for empty section"), + abfd); + return; + } strcpy ((char *) name, namebuf); } + flags = SEC_HAS_CONTENTS | SEC_ALLOC | SEC_DATA | SEC_LOAD; sec = bfd_make_section_anyway_with_flags (abfd, name, flags); if (sec == NULL) - /* FIXME: Return error. */ - abort (); + { + _bfd_error_handler (_("%B: unable to create fake empty section"), + abfd); + return; + } sec->vma = 0; sec->lma = 0; @@ -242,7 +258,7 @@ _bfd_XXi_swap_sym_out (bfd * abfd, void * inp, void * extp) as the worst that can happen is that some absolute symbols are needlessly converted into section relative symbols. */ && in->n_value > ((1ULL << (sizeof (in->n_value) > 4 ? 32 : 31)) - 1) - && in->n_scnum == -1) + && in->n_scnum == N_ABS) { asection * sec; @@ -283,6 +299,9 @@ _bfd_XXi_swap_aux_in (bfd * abfd, AUXENT *ext = (AUXENT *) ext1; union internal_auxent *in = (union internal_auxent *) in1; + /* PR 17521: Make sure that all fields in the aux structure + are initialised. */ + memset (in, 0, sizeof * in); switch (in_class) { case C_FILE: @@ -458,6 +477,7 @@ _bfd_XXi_swap_aouthdr_in (bfd * abfd, aouthdr_int->entry = GET_AOUTHDR_ENTRY (abfd, aouthdr_ext->entry); aouthdr_int->text_start = GET_AOUTHDR_TEXT_START (abfd, aouthdr_ext->text_start); + #if !defined(COFF_WITH_pep) && !defined(COFF_WITH_pex64) /* PE32+ does not have data_start member! */ aouthdr_int->data_start = @@ -505,17 +525,18 @@ _bfd_XXi_swap_aouthdr_in (bfd * abfd, int idx; /* PR 17512: Corrupt PE binaries can cause seg-faults. */ - if (a->NumberOfRvaAndSizes > 16) + if (a->NumberOfRvaAndSizes > IMAGE_NUMBEROF_DIRECTORY_ENTRIES) { (*_bfd_error_handler) (_("%B: aout header specifies an invalid number of data-directory entries: %d"), abfd, a->NumberOfRvaAndSizes); + bfd_set_error (bfd_error_bad_value); + /* Paranoia: If the number is corrupt, then assume that the actual entries themselves might be corrupt as well. */ a->NumberOfRvaAndSizes = 0; } - for (idx = 0; idx < a->NumberOfRvaAndSizes; idx++) { /* If data directory is empty, rva also should be 0. */ @@ -530,6 +551,13 @@ _bfd_XXi_swap_aouthdr_in (bfd * abfd, else a->DataDirectory[idx].VirtualAddress = 0; } + + while (idx < IMAGE_NUMBEROF_DIRECTORY_ENTRIES) + { + a->DataDirectory[idx].Size = 0; + a->DataDirectory[idx].VirtualAddress = 0; + idx ++; + } } if (aouthdr_int->entry) @@ -773,7 +801,7 @@ _bfd_XXi_swap_aouthdr_out (bfd * abfd, void * in, void * out) { int idx; - for (idx = 0; idx < 16; idx++) + for (idx = 0; idx < IMAGE_NUMBEROF_DIRECTORY_ENTRIES; idx++) { H_PUT_32 (abfd, extra->DataDirectory[idx].VirtualAddress, aouthdr_out->DataDirectory[idx][0]); @@ -1033,8 +1061,8 @@ _bfd_XXi_swap_scnhdr_out (bfd * abfd, void * in, void * out) } if (coff_data (abfd)->link_info - && ! coff_data (abfd)->link_info->relocatable - && ! coff_data (abfd)->link_info->shared + && ! bfd_link_relocatable (coff_data (abfd)->link_info) + && ! bfd_link_pic (coff_data (abfd)->link_info) && strcmp (scnhdr_int->s_name, ".text") == 0) { /* By inference from looking at MS output, the 32 bit field @@ -1113,7 +1141,7 @@ _bfd_XXi_swap_debugdir_out (bfd * abfd, void * inp, void * extp) return sizeof (struct external_IMAGE_DEBUG_DIRECTORY); } -static CODEVIEW_INFO * +CODEVIEW_INFO * _bfd_XXi_slurp_codeview_record (bfd * abfd, file_ptr where, unsigned long length, CODEVIEW_INFO *cvinfo) { char buffer[256+1]; @@ -1127,7 +1155,7 @@ _bfd_XXi_slurp_codeview_record (bfd * abfd, file_ptr where, unsigned long length /* Ensure null termination of filename. */ buffer[256] = '\0'; - cvinfo->CVSignature = H_GET_32(abfd, buffer); + cvinfo->CVSignature = H_GET_32 (abfd, buffer); cvinfo->Age = 0; if ((cvinfo->CVSignature == CVINFO_PDB70_CVSIGNATURE) @@ -1168,13 +1196,15 @@ _bfd_XXi_slurp_codeview_record (bfd * abfd, file_ptr where, unsigned long length unsigned int _bfd_XXi_write_codeview_record (bfd * abfd, file_ptr where, CODEVIEW_INFO *cvinfo) { - unsigned int size = sizeof (CV_INFO_PDB70) + 1; + const bfd_size_type size = sizeof (CV_INFO_PDB70) + 1; + bfd_size_type written; CV_INFO_PDB70 *cvinfo70; - char buffer[size]; + char * buffer; if (bfd_seek (abfd, where, SEEK_SET) != 0) return 0; + buffer = xmalloc (size); cvinfo70 = (CV_INFO_PDB70 *) buffer; H_PUT_32 (abfd, CVINFO_PDB70_CVSIGNATURE, cvinfo70->CvSignature); @@ -1188,10 +1218,11 @@ _bfd_XXi_write_codeview_record (bfd * abfd, file_ptr where, CODEVIEW_INFO *cvinf H_PUT_32 (abfd, cvinfo->Age, cvinfo70->Age); cvinfo70->PdbFileName[0] = '\0'; - if (bfd_bwrite (buffer, size, abfd) != size) - return 0; + written = bfd_bwrite (buffer, size, abfd); + + free (buffer); - return size; + return written == size ? size : 0; } static char * dir_names[IMAGE_NUMBEROF_DIRECTORY_ENTRIES] = @@ -1392,7 +1423,9 @@ pe_print_idata (bfd * abfd, void * vfile) break; dll = (char *) data + dll_name - adj; - fprintf (file, _("\n\tDLL Name: %s\n"), dll); + /* PR 17512 file: 078-12277-0.004. */ + bfd_size_type maxlen = (char *)(data + datasize) - dll - 1; + fprintf (file, _("\n\tDLL Name: %.*s\n"), (int) maxlen, dll); if (hint_addr != 0) { @@ -1457,24 +1490,31 @@ pe_print_idata (bfd * abfd, void * vfile) #ifdef COFF_WITH_pex64 for (j = 0; idx + j + 8 <= datasize; j += 8) { + bfd_size_type amt; unsigned long member = bfd_get_32 (abfd, data + idx + j); unsigned long member_high = bfd_get_32 (abfd, data + idx + j + 4); if (!member && !member_high) break; + amt = member - adj; + if (HighBitSet (member_high)) fprintf (file, "\t%lx%08lx\t %4lx%08lx ", member_high, member, WithoutHighBit (member_high), member); + /* PR binutils/17512: Handle corrupt PE data. */ + else if (amt + 2 >= datasize) + fprintf (file, _("\t"), member); else { int ordinal; char *member_name; - ordinal = bfd_get_16 (abfd, data + member - adj); - member_name = (char *) data + member - adj + 2; - fprintf (file, "\t%04lx\t %4d %s",member, ordinal, member_name); + ordinal = bfd_get_16 (abfd, data + amt); + member_name = (char *) data + amt + 2; + fprintf (file, "\t%04lx\t %4d %.*s",member, ordinal, + (int) (datasize - (amt + 2)), member_name); } /* If the time stamp is not zero, the import address @@ -1490,24 +1530,30 @@ pe_print_idata (bfd * abfd, void * vfile) #else for (j = 0; idx + j + 4 <= datasize; j += 4) { + bfd_size_type amt; unsigned long member = bfd_get_32 (abfd, data + idx + j); /* Print single IMAGE_IMPORT_BY_NAME vector. */ if (member == 0) break; + amt = member - adj; if (HighBitSet (member)) fprintf (file, "\t%04lx\t %4lu ", member, WithoutHighBit (member)); + /* PR binutils/17512: Handle corrupt PE data. */ + else if (amt + 2 >= datasize) + fprintf (file, _("\t"), member); else { int ordinal; char *member_name; - ordinal = bfd_get_16 (abfd, data + member - adj); - member_name = (char *) data + member - adj + 2; - fprintf (file, "\t%04lx\t %4d %s", - member, ordinal, member_name); + ordinal = bfd_get_16 (abfd, data + amt); + member_name = (char *) data + amt + 2; + fprintf (file, "\t%04lx\t %4d %.*s", + member, ordinal, + (int) (datasize - (amt + 2)), member_name); } /* If the time stamp is not zero, the import address @@ -1612,6 +1658,15 @@ pe_print_edata (bfd * abfd, void * vfile) } } + /* PR 17512: Handle corrupt PE binaries. */ + if (datasize < 36) + { + fprintf (file, + _("\nThere is an export table in %s, but it is too small (%d)\n"), + section->name, (int) datasize); + return TRUE; + } + fprintf (file, _("\nThere is an export table in %s at 0x%lx\n"), section->name, (unsigned long) addr); @@ -1657,7 +1712,9 @@ pe_print_edata (bfd * abfd, void * vfile) bfd_fprintf_vma (abfd, file, edt.name); if ((edt.name >= adj) && (edt.name < adj + datasize)) - fprintf (file, " %s\n", data + edt.name - adj); + fprintf (file, " %.*s\n", + (int) (datasize - (edt.name - adj)), + data + edt.name - adj); else fprintf (file, "(outside .edata section)\n"); @@ -1706,7 +1763,11 @@ pe_print_edata (bfd * abfd, void * vfile) edt.base); /* PR 17512: Handle corrupt PE binaries. */ - if (edt.eat_addr + (edt.num_functions * 4) - adj >= datasize) + if (edt.eat_addr + (edt.num_functions * 4) - adj >= datasize + /* PR 17512: file: 092b1829 */ + || (edt.num_functions * 4) < edt.num_functions + /* PR 17512 file: 140-165018-0.004. */ + || data + edt.eat_addr - adj < data) fprintf (file, _("\tInvalid Export Address Table rva (0x%lx) or entry count (0x%lx)\n"), (long) edt.eat_addr, (long) edt.num_functions); @@ -1722,11 +1783,12 @@ pe_print_edata (bfd * abfd, void * vfile) /* This rva is to a name (forwarding function) in our section. */ /* Should locate a function descriptor. */ fprintf (file, - "\t[%4ld] +base[%4ld] %04lx %s -- %s\n", + "\t[%4ld] +base[%4ld] %04lx %s -- %.*s\n", (long) i, (long) (i + edt.base), (unsigned long) eat_member, _("Forwarder RVA"), + (int)(datasize - (eat_member - adj)), data + eat_member - adj); } else @@ -1747,29 +1809,39 @@ pe_print_edata (bfd * abfd, void * vfile) _("\n[Ordinal/Name Pointer] Table\n")); /* PR 17512: Handle corrupt PE binaries. */ - if (edt.npt_addr + (edt.num_names * 4) - adj >= datasize) + if (edt.npt_addr + (edt.num_names * 4) - adj >= datasize + /* PR 17512: file: bb68816e. */ + || edt.num_names * 4 < edt.num_names + || (data + edt.npt_addr - adj) < data) fprintf (file, _("\tInvalid Name Pointer Table rva (0x%lx) or entry count (0x%lx)\n"), (long) edt.npt_addr, (long) edt.num_names); - else if (edt.ot_addr + (edt.num_names * 2) - adj >= datasize) + /* PR 17512: file: 140-147171-0.004. */ + else if (edt.ot_addr + (edt.num_names * 2) - adj >= datasize + || data + edt.ot_addr - adj < data) fprintf (file, _("\tInvalid Ordinal Table rva (0x%lx) or entry count (0x%lx)\n"), (long) edt.ot_addr, (long) edt.num_names); else for (i = 0; i < edt.num_names; ++i) { - bfd_vma name_ptr = bfd_get_32 (abfd, - data + - edt.npt_addr - + (i*4) - adj); + bfd_vma name_ptr; + bfd_vma ord; - char *name = (char *) data + name_ptr - adj; + ord = bfd_get_16 (abfd, data + edt.ot_addr + (i * 2) - adj); + name_ptr = bfd_get_32 (abfd, data + edt.npt_addr + (i * 4) - adj); - bfd_vma ord = bfd_get_16 (abfd, - data + - edt.ot_addr - + (i*2) - adj); - fprintf (file, - "\t[%4ld] %s\n", (long) ord, name); + if ((name_ptr - adj) >= datasize) + { + fprintf (file, _("\t[%4ld] \n"), + (long) ord, (long) name_ptr); + } + else + { + char * name = (char *) data + name_ptr - adj; + + fprintf (file, "\t[%4ld] %.*s\n", (long) ord, + (int)((char *)(data + datasize) - name), name); + } } free (data); @@ -1831,6 +1903,14 @@ pe_print_pdata (bfd * abfd, void * vfile) if (datasize == 0) return TRUE; + /* PR 17512: file: 002-193900-0.004. */ + if (datasize < stop) + { + fprintf (file, _("Virtual size of .pdata section (%ld) larger than real size (%ld)\n"), + (long) stop, (long) datasize); + return FALSE; + } + if (! bfd_malloc_and_get_section (abfd, section, &data)) { if (data != NULL) @@ -1940,7 +2020,11 @@ slurp_symtab (bfd *abfd, sym_cache *psc) if (storage < 0) return NULL; if (storage) - sy = (asymbol **) bfd_malloc (storage); + { + sy = (asymbol **) bfd_malloc (storage); + if (sy == NULL) + return NULL; + } psc->symcount = bfd_canonicalize_symtab (abfd, sy); if (psc->symcount < 0) @@ -2139,7 +2223,7 @@ pe_print_reloc (bfd * abfd, void * vfile) { int j; bfd_vma virtual_address; - long number, size; + unsigned long number, size; bfd_byte *chunk_end; /* The .reloc section is a sequence of blocks, with a header consisting @@ -2154,7 +2238,7 @@ pe_print_reloc (bfd * abfd, void * vfile) fprintf (file, _("\nVirtual Address: %08lx Chunk size %ld (0x%lx) Number of fixups %ld\n"), - (unsigned long) virtual_address, size, (unsigned long) size, number); + (unsigned long) virtual_address, size, size, number); chunk_end = p + size; if (chunk_end > end) @@ -2209,6 +2293,12 @@ static bfd_byte * rsrc_print_resource_directory (FILE * , bfd *, unsigned int, bfd_byte *, rsrc_regions *, bfd_vma); +/* Print the resource entry at DATA, with the text indented by INDENT. + Recusively calls rsrc_print_resource_directory to print the contents + of directory entries. + Returns the address of the end of the data associated with the entry + or section_end + 1 upon failure. */ + static bfd_byte * rsrc_print_resource_entries (FILE * file, bfd * abfd, @@ -2219,13 +2309,14 @@ rsrc_print_resource_entries (FILE * file, bfd_vma rva_bias) { unsigned long entry, addr, size; + bfd_byte * leaf; if (data + 8 >= regions->section_end) return regions->section_end + 1; fprintf (file, _("%03x %*.s Entry: "), (int)(data - regions->section_start), indent, " "); - entry = (long) bfd_get_32 (abfd, data); + entry = (unsigned long) bfd_get_32 (abfd, data); if (is_name) { bfd_byte * name; @@ -2238,7 +2329,7 @@ rsrc_print_resource_entries (FILE * file, else name = regions->section_start + entry - rva_bias; - if (name + 2 < regions->section_end) + if (name + 2 < regions->section_end && name > regions->section_start) { unsigned int len; @@ -2248,20 +2339,38 @@ rsrc_print_resource_entries (FILE * file, len = bfd_get_16 (abfd, name); fprintf (file, _("name: [val: %08lx len %d]: "), entry, len); + if (name + 2 + len * 2 < regions->section_end) { /* This strange loop is to cope with multibyte characters. */ while (len --) { + char c; + name += 2; - fprintf (file, "%.1s", name); + c = * name; + /* Avoid printing control characters. */ + if (c > 0 && c < 32) + fprintf (file, "^%c", c + 64); + else + fprintf (file, "%.1s", name); } } else - fprintf (file, _(""), len); + { + fprintf (file, _("\n"), len); + /* PR binutils/17512: Do not try to continue decoding a + corrupted resource section. It is likely to end up with + reams of extraneous output. FIXME: We could probably + continue if we disable the printing of strings... */ + return regions->section_end + 1; + } } else - fprintf (file, _(""), entry); + { + fprintf (file, _("\n"), entry); + return regions->section_end + 1; + } } else fprintf (file, _("ID: %#08lx"), entry); @@ -2270,22 +2379,32 @@ rsrc_print_resource_entries (FILE * file, fprintf (file, _(", Value: %#08lx\n"), entry); if (HighBitSet (entry)) - return rsrc_print_resource_directory (file, abfd, indent + 1, - regions->section_start + WithoutHighBit (entry), - regions, rva_bias); + { + data = regions->section_start + WithoutHighBit (entry); + if (data <= regions->section_start || data > regions->section_end) + return regions->section_end + 1; + + /* FIXME: PR binutils/17512: A corrupt file could contain a loop + in the resource table. We need some way to detect this. */ + return rsrc_print_resource_directory (file, abfd, indent + 1, data, + regions, rva_bias); + } + + leaf = regions->section_start + entry; - if (regions->section_start + entry + 16 >= regions->section_end) + if (leaf + 16 >= regions->section_end + /* PR 17512: file: 055dff7e. */ + || leaf < regions->section_start) return regions->section_end + 1; fprintf (file, _("%03x %*.s Leaf: Addr: %#08lx, Size: %#08lx, Codepage: %d\n"), - (int) (entry), - indent, " ", - addr = (long) bfd_get_32 (abfd, regions->section_start + entry), - size = (long) bfd_get_32 (abfd, regions->section_start + entry + 4), - (int) bfd_get_32 (abfd, regions->section_start + entry + 8)); + (int) (entry), indent, " ", + addr = (long) bfd_get_32 (abfd, leaf), + size = (long) bfd_get_32 (abfd, leaf + 4), + (int) bfd_get_32 (abfd, leaf + 8)); /* Check that the reserved entry is 0. */ - if (bfd_get_32 (abfd, regions->section_start + entry + 12) != 0 + if (bfd_get_32 (abfd, leaf + 12) != 0 /* And that the data address/size is valid too. */ || (regions->section_start + (addr - rva_bias) + size > regions->section_end)) return regions->section_end + 1; @@ -2319,7 +2438,12 @@ rsrc_print_resource_directory (FILE * file, case 0: fprintf (file, "Type"); break; case 2: fprintf (file, "Name"); break; case 4: fprintf (file, "Language"); break; - default: fprintf (file, ""); break; + default: + fprintf (file, _("\n"), indent); + /* FIXME: For now we end the printing here. If in the + future more directory types are added to the RSRC spec + then we will need to change this. */ + return regions->section_end + 1; } fprintf (file, _(" Table: Char: %d, Time: %08lx, Ver: %d/%d, Num Names: %d, IDs: %d\n"), @@ -2431,7 +2555,7 @@ rsrc_print_section (bfd * abfd, void * vfile) /* If the extra data is all zeros then do not complain. This is just padding so that the section meets the page size requirements. */ - while (data ++ < regions.section_end) + while (++ data < regions.section_end) if (*data != 0) break; if (data < regions.section_end) @@ -2441,12 +2565,12 @@ rsrc_print_section (bfd * abfd, void * vfile) } if (regions.strings_start != NULL) - fprintf (file, " String table starts at %03x\n", + fprintf (file, " String table starts at offset: %#03x\n", (int) (regions.strings_start - regions.section_start)); if (regions.resource_start != NULL) - fprintf (file, " Resources start at %03xx\n", + fprintf (file, " Resources start at offset: %#03x\n", (int) (regions.resource_start - regions.section_start)); - + free (regions.section_start); return TRUE; } @@ -2506,16 +2630,29 @@ pe_print_debugdata (bfd * abfd, void * vfile) section->name); return TRUE; } + else if (section->size < size) + { + fprintf (file, + _("\nError: section %s contains the debug data starting address but it is too small\n"), + section->name); + return FALSE; + } fprintf (file, _("\nThere is a debug directory in %s at 0x%lx\n\n"), section->name, (unsigned long) addr); dataoff = addr - section->vma; + if (size > (section->size - dataoff)) + { + fprintf (file, _("The debug data size field in the data directory is too big for the section")); + return FALSE; + } + fprintf (file, _("Type Size Rva Offset\n")); - /* Read the whole section. */ + /* Read the whole section. */ if (!bfd_malloc_and_get_section (abfd, section, &data)) { if (data != NULL) @@ -2532,7 +2669,7 @@ pe_print_debugdata (bfd * abfd, void * vfile) _bfd_XXi_swap_debugdir_in (abfd, ext, &idd); - if ((idd.Type) > IMAGE_NUMBEROF_DEBUG_TYPES) + if ((idd.Type) >= IMAGE_NUMBEROF_DEBUG_TYPES) type_name = debug_type_names[0]; else type_name = debug_type_names[idd.Type]; @@ -2544,7 +2681,11 @@ pe_print_debugdata (bfd * abfd, void * vfile) if (idd.Type == PE_IMAGE_DEBUG_TYPE_CODEVIEW) { char signature[CV_INFO_SIGNATURE_LENGTH * 2 + 1]; - char buffer[256 + 1]; + /* PR 17512: file: 065-29434-0.001:0.1 + We need to use a 32-bit aligned buffer + to safely read in a codeview record. */ + char buffer[256 + 1] ATTRIBUTE_ALIGNED_ALIGNOF (CODEVIEW_INFO); + CODEVIEW_INFO *cvinfo = (CODEVIEW_INFO *) buffer; /* The debug entry doesn't have to have to be in a section, @@ -2814,6 +2955,16 @@ _bfd_XX_bfd_copy_private_bfd_data_common (bfd * ibfd, bfd * obfd) struct external_IMAGE_DEBUG_DIRECTORY *dd = (struct external_IMAGE_DEBUG_DIRECTORY *)(data + (addr - section->vma)); + /* PR 17512: file: 0f15796a. */ + if (ope->pe_opthdr.DataDirectory[PE_DEBUG_DATA].Size + (addr - section->vma) + > bfd_get_section_size (section)) + { + _bfd_error_handler (_("%B: Data Directory size (%lx) exceeds space left in section (%lx)"), + obfd, ope->pe_opthdr.DataDirectory[PE_DEBUG_DATA].Size, + bfd_get_section_size (section) - (addr - section->vma)); + return FALSE; + } + for (i = 0; i < ope->pe_opthdr.DataDirectory[PE_DEBUG_DATA].Size / sizeof (struct external_IMAGE_DEBUG_DIRECTORY); i++) { @@ -2837,8 +2988,16 @@ _bfd_XX_bfd_copy_private_bfd_data_common (bfd * ibfd, bfd * obfd) } if (!bfd_set_section_contents (obfd, section, data, 0, section->size)) - _bfd_error_handler (_("Failed to update file offsets in debug directory")); + { + _bfd_error_handler (_("Failed to update file offsets in debug directory")); + return FALSE; + } } + else if (section) + { + _bfd_error_handler (_("%B: Failed to read debug data section"), obfd); + return FALSE; + } } return TRUE; @@ -2938,7 +3097,7 @@ rsrc_count_entries (bfd * abfd, else name = datastart + entry - rva_bias; - if (name + 2 >= dataend) + if (name + 2 >= dataend || name < datastart) return dataend + 1; unsigned int len = bfd_get_16 (abfd, name); @@ -2949,10 +3108,14 @@ rsrc_count_entries (bfd * abfd, entry = (long) bfd_get_32 (abfd, data + 4); if (HighBitSet (entry)) - return rsrc_count_directory (abfd, - datastart, - datastart + WithoutHighBit (entry), - dataend, rva_bias); + { + data = datastart + WithoutHighBit (entry); + + if (data <= datastart || data >= dataend) + return dataend + 1; + + return rsrc_count_directory (abfd, datastart, data, dataend, rva_bias); + } if (datastart + entry + 16 >= dataend) return dataend + 1; @@ -3074,20 +3237,24 @@ rsrc_parse_entry (bfd * abfd, if (is_name) { - /* FIXME: Add range checking ? */ + bfd_byte * address; + if (HighBitSet (val)) { val = WithoutHighBit (val); - entry->name_id.name.len = bfd_get_16 (abfd, datastart + val); - entry->name_id.name.string = datastart + val + 2; + address = datastart + val; } else { - entry->name_id.name.len = bfd_get_16 (abfd, datastart + val - - rva_bias); - entry->name_id.name.string = datastart + val - rva_bias + 2; + address = datastart + val - rva_bias; } + + if (address + 3 > dataend) + return dataend; + + entry->name_id.name.len = bfd_get_16 (abfd, address); + entry->name_id.name.string = address + 2; } else entry->name_id.id = val; @@ -3112,9 +3279,14 @@ rsrc_parse_entry (bfd * abfd, if (entry->value.leaf == NULL) return dataend; - addr = bfd_get_32 (abfd, datastart + val); - size = entry->value.leaf->size = bfd_get_32 (abfd, datastart + val + 4); - entry->value.leaf->codepage = bfd_get_32 (abfd, datastart + val + 8); + data = datastart + val; + if (data < datastart || data >= dataend) + return dataend; + + addr = bfd_get_32 (abfd, data); + size = entry->value.leaf->size = bfd_get_32 (abfd, data + 4); + entry->value.leaf->codepage = bfd_get_32 (abfd, data + 8); + /* FIXME: We assume that the reserved field (data + 12) is OK. */ entry->value.leaf->data = bfd_malloc (size); if (entry->value.leaf->data == NULL) @@ -3302,7 +3474,7 @@ rsrc_compute_region_sizes (rsrc_directory * dir) sizeof_tables_and_entries += 8; sizeof_strings += (entry->name_id.name.len + 1) * 2; - + if (entry->is_dir) rsrc_compute_region_sizes (entry->value.directory); else @@ -3372,7 +3544,11 @@ rsrc_write_directory (rsrc_write_data * data, putting its 'ucs4_t' representation in *PUC. */ static unsigned int +#if defined HAVE_WCTYPE_H +u16_mbtouc (wint_t * puc, const unsigned short * s, unsigned int n) +#else u16_mbtouc (wchar_t * puc, const unsigned short * s, unsigned int n) +#endif { unsigned short c = * s; @@ -3444,20 +3620,34 @@ rsrc_cmp (bfd_boolean is_name, rsrc_entry * a, rsrc_entry * b) #elif defined HAVE_WCHAR_H { unsigned int i; + res = 0; for (i = min (alen, blen); i--; astring += 2, bstring += 2) { +#if defined HAVE_WCTYPE_H + wint_t awc; + wint_t bwc; +#else wchar_t awc; wchar_t bwc; +#endif - /* Convert UTF-16 unicode characters into wchar_t characters so - that we can then perform a case insensitive comparison. */ - int Alen = u16_mbtouc (& awc, (const unsigned short *) astring, 2); - int Blen = u16_mbtouc (& bwc, (const unsigned short *) bstring, 2); + /* Convert UTF-16 unicode characters into wchar_t characters + so that we can then perform a case insensitive comparison. */ + unsigned int Alen = u16_mbtouc (& awc, (const unsigned short *) astring, 2); + unsigned int Blen = u16_mbtouc (& bwc, (const unsigned short *) bstring, 2); if (Alen != Blen) return Alen - Blen; + +#ifdef HAVE_WCTYPE_H + awc = towlower (awc); + bwc = towlower (bwc); + + res = awc - bwc; +#else res = wcsncasecmp (& awc, & bwc, 1); +#endif if (res) break; } @@ -3974,7 +4164,8 @@ rsrc_process_section (bfd * abfd, { asection * rsrc_sec = bfd_get_section_by_name (input, ".rsrc"); - if (rsrc_sec != NULL) + /* PR 18372 - skip discarded .rsrc sections. */ + if (rsrc_sec != NULL && !discarded_section (rsrc_sec)) { if (num_input_rsrc == max_num_input_rsrc) { @@ -4341,6 +4532,8 @@ _bfd_XXi_final_link_postscript (bfd * abfd, struct coff_final_link_info *pfinfo) } free (tmp_data); } + else + result = FALSE; } } #endif