mirrors/binutils-gdb
0
0
Fork 0
mirror of https://sourceware.org/git/binutils-gdb.git synced 2024-11-28 12:33:36 +08:00
Code Issues Actions Packages Projects Releases Wiki Activity

mach-o: out of memory in get_dynamic_reloc_upper_bound

Browse Source 
* mach-o.c (bfd_mach_o_canonicalize_dynamic_reloc): Move sanity
	checks..
	(bfd_mach_o_get_dynamic_reloc_upper_bound): ..to here.
This commit is contained in:
Alan Modra 2023-03-17 21:07:17 +10:30
parent 1d7e244fc5
commit 92376883a9
1 changed files with 29 additions and 26 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

55
bfd/mach-o.c
View File

@ -1701,11 +1701,36 @@ long
bfd_mach_o_get_dynamic_reloc_upper_bound (bfd *abfd)
{
bfd_mach_o_data_struct *mdata = bfd_mach_o_get_data (abfd);
bfd_mach_o_dysymtab_command *dysymtab = mdata->dysymtab;
if (mdata->dysymtab == NULL)
if (dysymtab == NULL)
return 1;
return (mdata->dysymtab->nextrel + mdata->dysymtab->nlocrel + 1)
* sizeof (arelent *);
ufile_ptr filesize = bfd_get_file_size (abfd);
size_t amt;
if (filesize != 0)
{
if (dysymtab->extreloff > filesize
|| dysymtab->nextrel > ((filesize - dysymtab->extreloff)
/ BFD_MACH_O_RELENT_SIZE)
|| dysymtab->locreloff > filesize
|| dysymtab->nlocrel > ((filesize - dysymtab->locreloff)
/ BFD_MACH_O_RELENT_SIZE))
{
bfd_set_error (bfd_error_file_truncated);
return -1;
}
}
if (dysymtab->nextrel + dysymtab->nlocrel < dysymtab->nextrel
|| _bfd_mul_overflow (dysymtab->nextrel + dysymtab->nlocrel,
sizeof (arelent), &amt))
{
bfd_set_error (bfd_error_file_too_big);
return -1;
}
return (dysymtab->nextrel + dysymtab->nlocrel + 1) * sizeof (arelent *);
}
long
@ -1729,29 +1754,7 @@ bfd_mach_o_canonicalize_dynamic_reloc (bfd *abfd, arelent **rels,
if (mdata->dyn_reloc_cache == NULL)
{
ufile_ptr filesize = bfd_get_file_size (abfd);
size_t amt;
if (filesize != 0)
{
if (dysymtab->extreloff > filesize
|| dysymtab->nextrel > ((filesize - dysymtab->extreloff)
/ BFD_MACH_O_RELENT_SIZE)
|| dysymtab->locreloff > filesize
|| dysymtab->nlocrel > ((filesize - dysymtab->locreloff)
/ BFD_MACH_O_RELENT_SIZE))
{
bfd_set_error (bfd_error_file_truncated);
return -1;
}
}
if (_bfd_mul_overflow (dysymtab->nextrel + dysymtab->nlocrel,
sizeof (arelent), &amt))
{
bfd_set_error (bfd_error_file_too_big);
return -1;
}
size_t amt = (dysymtab->nextrel + dysymtab->nlocrel) * sizeof (arelent);
res = bfd_malloc (amt);
if (res == NULL)
return -1;