From 0bb6961f18b8e832d88b490d421ca56cea16c45b Mon Sep 17 00:00:00 2001 From: Nick Clifton Date: Tue, 31 Oct 2017 14:29:40 +0000 Subject: [PATCH] Fix illegal memory access triggered when parsing a PE binary with a corrupt data dictionary. PR 22373 * peicode.h (pe_bfd_read_buildid): Check for invalid size and data offset values. Upstrem-Status: Backport Affects: <= 2.29.1 CVE: CVE-2017-16832 Signed-off-by: Armin Kuster --- bfd/ChangeLog | 6 ++++++ bfd/peicode.h | 9 ++++++--- 2 files changed, 12 insertions(+), 3 deletions(-) Index: git/bfd/peicode.h =================================================================== --- git.orig/bfd/peicode.h +++ git/bfd/peicode.h @@ -1303,7 +1303,6 @@ pe_bfd_read_buildid (bfd *abfd) bfd_byte *data = 0; bfd_size_type dataoff; unsigned int i; - bfd_vma addr = extra->DataDirectory[PE_DEBUG_DATA].VirtualAddress; bfd_size_type size = extra->DataDirectory[PE_DEBUG_DATA].Size; @@ -1327,8 +1326,12 @@ pe_bfd_read_buildid (bfd *abfd) dataoff = addr - section->vma; - /* PR 20605: Make sure that the data is really there. */ - if (dataoff + size > section->size) + /* PR 20605 and 22373: Make sure that the data is really there. + Note - since we are dealing with unsigned quantities we have + to be careful to check for potential overflows. */ + if (dataoff > section->size + || size > section->size + || dataoff + size > section->size) { _bfd_error_handler (_("%B: Error: Debug Data ends beyond end of debug directory."), abfd); Index: git/bfd/ChangeLog =================================================================== --- git.orig/bfd/ChangeLog +++ git/bfd/ChangeLog @@ -1,3 +1,9 @@ +2017-10-31 Nick Clifton + + PR 22373 + * peicode.h (pe_bfd_read_buildid): Check for invalid size and data + offset values. + 2017-11-03 Mingi Cho Nick Clifton