From 82156ab704b08b124d319c0decdbd48b3ca2dac5 Mon Sep 17 00:00:00 2001 From: Nick Clifton Date: Mon, 3 Apr 2017 12:14:06 +0100 Subject: [PATCH] readelf: Fix overlarge memory allocation when reading a binary with an excessive number of program headers. PR binutils/21345 * readelf.c (get_program_headers): Check for there being too many program headers before attempting to allocate space for them. Upstream-Status: Backport CVE: CVE-2017-9039 VER: <= 2.28 Signed-off-by: Armin Kuster --- binutils/ChangeLog | 6 ++++++ binutils/readelf.c | 17 ++++++++++++++--- 2 files changed, 20 insertions(+), 3 deletions(-) Index: git/binutils/readelf.c =================================================================== --- git.orig/binutils/readelf.c +++ git/binutils/readelf.c @@ -4705,9 +4705,19 @@ get_program_headers (FILE * file) if (program_headers != NULL) return 1; - phdrs = (Elf_Internal_Phdr *) cmalloc (elf_header.e_phnum, - sizeof (Elf_Internal_Phdr)); + /* Be kind to memory checkers by looking for + e_phnum values which we know must be invalid. */ + if (elf_header.e_phnum + * (is_32bit_elf ? sizeof (Elf32_External_Phdr) : sizeof (Elf64_External_Phdr)) + >= current_file_size) + { + error (_("Too many program headers - %#x - the file is not that big\n"), + elf_header.e_phnum); + return FALSE; + } + phdrs = (Elf_Internal_Phdr *) cmalloc (elf_header.e_phnum, + sizeof (Elf_Internal_Phdr)); if (phdrs == NULL) { error (_("Out of memory reading %u program headers\n"), @@ -14993,7 +15003,8 @@ process_mips_specific (FILE * file) /* PR 21344 */ if (data + ent - pltgot > data_end - addr_size) { - error (_("Invalid got entry - %#lx - overflows GOT table\n"), ent); + error (_("Invalid got entry - %#lx - overflows GOT table\n"), + (long) ent); goto got_print_fail; }