Blame SOURCES/binutils-CVE-2018-8945.patch

869a11
diff -rup binutils.orig/bfd/elf-attrs.c binutils-2.30/bfd/elf-attrs.c
869a11
--- binutils.orig/bfd/elf-attrs.c	2018-05-17 14:14:04.341805666 +0100
869a11
+++ binutils-2.30/bfd/elf-attrs.c	2018-05-17 14:15:19.729952453 +0100
869a11
@@ -438,6 +438,14 @@ _bfd_elf_parse_attributes (bfd *abfd, El
869a11
   /* PR 17512: file: 2844a11d.  */
869a11
   if (hdr->sh_size == 0)
869a11
     return;
869a11
+  if (hdr->sh_size > bfd_get_file_size (abfd))
869a11
+    {
869a11
+      _bfd_error_handler (_("%pB: error: attribute section '%pA' too big: %#llx"),
869a11
+			  abfd, hdr->bfd_section, (long long) hdr->sh_size);
869a11
+      bfd_set_error (bfd_error_invalid_operation);
869a11
+      return;
869a11
+    }
869a11
+
869a11
   contents = (bfd_byte *) bfd_malloc (hdr->sh_size + 1);
869a11
   if (!contents)
869a11
     return;
869a11
diff -rup binutils.orig/bfd/elf.c binutils-2.30/bfd/elf.c
869a11
--- binutils.orig/bfd/elf.c	2018-05-17 14:14:04.326805836 +0100
869a11
+++ binutils-2.30/bfd/elf.c	2018-05-17 14:15:59.412503342 +0100
869a11
@@ -298,6 +298,7 @@ bfd_elf_get_str_section (bfd *abfd, unsi
869a11
       /* Allocate and clear an extra byte at the end, to prevent crashes
869a11
 	 in case the string table is not terminated.  */
869a11
       if (shstrtabsize + 1 <= 1
869a11
+	  || shstrtabsize > bfd_get_file_size (abfd)
869a11
 	  || bfd_seek (abfd, offset, SEEK_SET) != 0
869a11
 	  || (shstrtab = (bfd_byte *) bfd_alloc (abfd, shstrtabsize + 1)) == NULL)
869a11
 	shstrtab = NULL;