Blame SOURCES/binutils-CVE-2018-8945.patch

6cffa7
diff -rup binutils.orig/bfd/elf-attrs.c binutils-2.27/bfd/elf-attrs.c
6cffa7
--- binutils.orig/bfd/elf-attrs.c	2018-05-30 09:57:23.385080577 +0100
6cffa7
+++ binutils-2.27/bfd/elf-attrs.c	2018-05-30 10:01:03.528712202 +0100
6cffa7
@@ -438,6 +438,15 @@ _bfd_elf_parse_attributes (bfd *abfd, El
6cffa7
   /* PR 17512: file: 2844a11d.  */
6cffa7
   if (hdr->sh_size == 0)
6cffa7
     return;
6cffa7
+  if (hdr->sh_size > bfd_get_size (abfd))
6cffa7
+    {
6cffa7
+      /* xgettext:c-format */
6cffa7
+      _bfd_error_handler (_("%B: error: attribute section '%A' too big: %#llx"),
6cffa7
+                         abfd, hdr->bfd_section, (long long) hdr->sh_size);
6cffa7
+      bfd_set_error (bfd_error_invalid_operation);
6cffa7
+      return;
6cffa7
+    }
6cffa7
+
6cffa7
   contents = (bfd_byte *) bfd_malloc (hdr->sh_size);
6cffa7
   if (!contents)
6cffa7
     return;
6cffa7
diff -rup binutils.orig/bfd/elf.c binutils-2.27/bfd/elf.c
6cffa7
--- binutils.orig/bfd/elf.c	2018-05-30 09:57:23.382080610 +0100
6cffa7
+++ binutils-2.27/bfd/elf.c	2018-05-30 10:01:52.766182199 +0100
6cffa7
@@ -297,6 +297,7 @@ bfd_elf_get_str_section (bfd *abfd, unsi
6cffa7
       /* Allocate and clear an extra byte at the end, to prevent crashes
6cffa7
 	 in case the string table is not terminated.  */
6cffa7
       if (shstrtabsize + 1 <= 1
6cffa7
+	  || shstrtabsize > bfd_get_size (abfd)
6cffa7
 	  || bfd_seek (abfd, offset, SEEK_SET) != 0
6cffa7
 	  || (shstrtab = (bfd_byte *) bfd_alloc (abfd, shstrtabsize + 1)) == NULL)
6cffa7
 	shstrtab = NULL;