Blame SOURCES/binutils-CVE-2018-8945.patch

49857a
diff -rup binutils.orig/bfd/elf-attrs.c binutils-2.27/bfd/elf-attrs.c
49857a
--- binutils.orig/bfd/elf-attrs.c	2018-05-30 09:57:23.385080577 +0100
49857a
+++ binutils-2.27/bfd/elf-attrs.c	2018-05-30 10:01:03.528712202 +0100
49857a
@@ -438,6 +438,15 @@ _bfd_elf_parse_attributes (bfd *abfd, El
49857a
   /* PR 17512: file: 2844a11d.  */
49857a
   if (hdr->sh_size == 0)
49857a
     return;
49857a
+  if (hdr->sh_size > bfd_get_size (abfd))
49857a
+    {
49857a
+      /* xgettext:c-format */
49857a
+      _bfd_error_handler (_("%B: error: attribute section '%A' too big: %#llx"),
49857a
+                         abfd, hdr->bfd_section, (long long) hdr->sh_size);
49857a
+      bfd_set_error (bfd_error_invalid_operation);
49857a
+      return;
49857a
+    }
49857a
+
49857a
   contents = (bfd_byte *) bfd_malloc (hdr->sh_size);
49857a
   if (!contents)
49857a
     return;
49857a
diff -rup binutils.orig/bfd/elf.c binutils-2.27/bfd/elf.c
49857a
--- binutils.orig/bfd/elf.c	2018-05-30 09:57:23.382080610 +0100
49857a
+++ binutils-2.27/bfd/elf.c	2018-05-30 10:01:52.766182199 +0100
49857a
@@ -297,6 +297,7 @@ bfd_elf_get_str_section (bfd *abfd, unsi
49857a
       /* Allocate and clear an extra byte at the end, to prevent crashes
49857a
 	 in case the string table is not terminated.  */
49857a
       if (shstrtabsize + 1 <= 1
49857a
+	  || shstrtabsize > bfd_get_size (abfd)
49857a
 	  || bfd_seek (abfd, offset, SEEK_SET) != 0
49857a
 	  || (shstrtab = (bfd_byte *) bfd_alloc (abfd, shstrtabsize + 1)) == NULL)
49857a
 	shstrtab = NULL;