From 64e234d417d5685a4aec0edc618114d9991c031b Mon Sep 17 00:00:00 2001
From: Nick Clifton <nickc@redhat.com>
Date: Tue, 6 Feb 2018 15:48:29 +0000
Subject: [PATCH] Prevent attempts to call strncpy with a zero-length field by
 chacking the size of debuglink sections.

	PR 22794
	* opncls.c (bfd_get_debug_link_info_1): Check the size of the
	section before attempting to read it in.
	(bfd_get_alt_debug_link_info): Likewise.

Upstream-Status: Backport
Affects: <= 2.30
CVE: CVE-2018-6759
Signed-off-by: Armin Kuster <akuster@mvista.com>

---
 bfd/ChangeLog |  7 +++++++
 bfd/opncls.c  | 22 +++++++++++++++++-----
 2 files changed, 24 insertions(+), 5 deletions(-)

Index: git/bfd/opncls.c
===================================================================
--- git.orig/bfd/opncls.c
+++ git/bfd/opncls.c
@@ -1179,6 +1179,7 @@ bfd_get_debug_link_info_1 (bfd *abfd, vo
   bfd_byte *contents;
   unsigned int crc_offset;
   char *name;
+  bfd_size_type size;
 
   BFD_ASSERT (abfd);
   BFD_ASSERT (crc32_out);
@@ -1188,6 +1189,12 @@ bfd_get_debug_link_info_1 (bfd *abfd, vo
   if (sect == NULL)
     return NULL;
 
+  size = bfd_get_section_size (sect);
+
+  /* PR 22794: Make sure that the section has a reasonable size.  */
+  if (size < 8 || size >= bfd_get_size (abfd))
+    return NULL;
+
   if (!bfd_malloc_and_get_section (abfd, sect, &contents))
     {
       if (contents != NULL)
@@ -1197,10 +1204,10 @@ bfd_get_debug_link_info_1 (bfd *abfd, vo
 
   /* CRC value is stored after the filename, aligned up to 4 bytes.  */
   name = (char *) contents;
-  /* PR 17597: avoid reading off the end of the buffer.  */
-  crc_offset = strnlen (name, bfd_get_section_size (sect)) + 1;
+  /* PR 17597: Avoid reading off the end of the buffer.  */
+  crc_offset = strnlen (name, size) + 1;
   crc_offset = (crc_offset + 3) & ~3;
-  if (crc_offset + 4 > bfd_get_section_size (sect))
+  if (crc_offset + 4 > size)
     return NULL;
 
   *crc32 = bfd_get_32 (abfd, contents + crc_offset);
@@ -1261,6 +1268,7 @@ bfd_get_alt_debug_link_info (bfd * abfd,
   bfd_byte *contents;
   unsigned int buildid_offset;
   char *name;
+  bfd_size_type size;
 
   BFD_ASSERT (abfd);
   BFD_ASSERT (buildid_len);
@@ -1271,6 +1279,10 @@ bfd_get_alt_debug_link_info (bfd * abfd,
   if (sect == NULL)
     return NULL;
 
+  size = bfd_get_section_size (sect);
+  if (size < 8 || size >= bfd_get_size (abfd))
+    return NULL;
+
   if (!bfd_malloc_and_get_section (abfd, sect, & contents))
     {
       if (contents != NULL)
@@ -1280,11 +1292,11 @@ bfd_get_alt_debug_link_info (bfd * abfd,
 
   /* BuildID value is stored after the filename.  */
   name = (char *) contents;
-  buildid_offset = strnlen (name, bfd_get_section_size (sect)) + 1;
+  buildid_offset = strnlen (name, size) + 1;
   if (buildid_offset >= bfd_get_section_size (sect))
     return NULL;
 
-  *buildid_len = bfd_get_section_size (sect) - buildid_offset;
+  *buildid_len = size - buildid_offset;
   *buildid_out = bfd_malloc (*buildid_len);
   memcpy (*buildid_out, contents + buildid_offset, *buildid_len);
 
Index: git/bfd/ChangeLog
===================================================================
--- git.orig/bfd/ChangeLog
+++ git/bfd/ChangeLog
@@ -1,3 +1,10 @@
+2018-02-06  Nick Clifton  <nickc@redhat.com>
+
+       PR 22794
+       * opncls.c (bfd_get_debug_link_info_1): Check the size of the
+       section before attempting to read it in.
+       (bfd_get_alt_debug_link_info): Likewise.
+
 2018-01-25  Alan Modra  <amodra@gmail.com>
 
        PR 22746