From 7916b653e5f97d7e271baabe5a7f142777e9d592 Mon Sep 17 00:00:00 2001
From: Jakub Jelinek <jakub@redhat.com>
Date: Fri, 17 Jun 2005 13:39:56 +0000
Subject: [PATCH] 	* elf.c (bfd_section_from_shdr): Fail if sh_entsize is
 bogus for 	symbol, relocation, group or versym sections.

	* coffcode.h (coff_slurp_reloc_table): Don't crash if native_relocs
	is NULL.
	* peXXigen.c (pe_print_idata): Don't crash if dll_name or start_address
	doesn't point into the section.
---
 bfd/ChangeLog  | 10 ++++++++++
 bfd/coffcode.h |  2 +-
 bfd/elf.c      | 22 ++++++++++++++++------
 bfd/peXXigen.c | 12 +++++++++++-
 4 files changed, 38 insertions(+), 8 deletions(-)

diff --git a/bfd/ChangeLog b/bfd/ChangeLog
index f374000acb..f47dac29b0 100644
--- a/bfd/ChangeLog
+++ b/bfd/ChangeLog
@@ -1,3 +1,13 @@
+2005-06-17  Jakub Jelinek  <jakub@redhat.com>
+
+	* elf.c (bfd_section_from_shdr): Fail if sh_entsize is bogus for
+	symbol, relocation, group or versym sections.
+
+	* coffcode.h (coff_slurp_reloc_table): Don't crash if native_relocs
+	is NULL.
+	* peXXigen.c (pe_print_idata): Don't crash if dll_name or start_address
+	doesn't point into the section.
+
 2005-06-17  Jan Beulich  <jbeulich@novell.com>
 
 	* bfd-in2.h (elf_x86_64_reloc_type): Add BFD_RELOC_X86_64_GOTOFF64
diff --git a/bfd/coffcode.h b/bfd/coffcode.h
index 917c0e4522..8b01f9ee93 100644
--- a/bfd/coffcode.h
+++ b/bfd/coffcode.h
@@ -4830,7 +4830,7 @@ coff_slurp_reloc_table (bfd * abfd, sec_ptr asect, asymbol ** symbols)
   amt = (bfd_size_type) asect->reloc_count * sizeof (arelent);
   reloc_cache = bfd_alloc (abfd, amt);
 
-  if (reloc_cache == NULL)
+  if (reloc_cache == NULL || native_relocs == NULL)
     return FALSE;
 
   for (idx = 0; idx < asect->reloc_count; idx++)
diff --git a/bfd/elf.c b/bfd/elf.c
index 5d4e1a309b..d301a9e14f 100644
--- a/bfd/elf.c
+++ b/bfd/elf.c
@@ -1811,7 +1811,8 @@ bfd_section_from_shdr (bfd *abfd, unsigned int shindex)
       if (elf_onesymtab (abfd) == shindex)
 	return TRUE;
 
-      BFD_ASSERT (hdr->sh_entsize == bed->s->sizeof_sym);
+      if (hdr->sh_entsize != bed->s->sizeof_sym)
+	return FALSE;
       BFD_ASSERT (elf_onesymtab (abfd) == 0);
       elf_onesymtab (abfd) = shindex;
       elf_tdata (abfd)->symtab_hdr = *hdr;
@@ -1862,7 +1863,8 @@ bfd_section_from_shdr (bfd *abfd, unsigned int shindex)
       if (elf_dynsymtab (abfd) == shindex)
 	return TRUE;
 
-      BFD_ASSERT (hdr->sh_entsize == bed->s->sizeof_sym);
+      if (hdr->sh_entsize != bed->s->sizeof_sym)
+	return FALSE;
       BFD_ASSERT (elf_dynsymtab (abfd) == 0);
       elf_dynsymtab (abfd) = shindex;
       elf_tdata (abfd)->dynsymtab_hdr = *hdr;
@@ -1946,6 +1948,10 @@ bfd_section_from_shdr (bfd *abfd, unsigned int shindex)
 	Elf_Internal_Shdr *hdr2;
 	unsigned int num_sec = elf_numsections (abfd);
 
+	if (hdr->sh_entsize != (hdr->sh_type == SHT_REL
+				? bed->s->sizeof_rel : bed->s->sizeof_rela))
+	  return FALSE;
+
 	/* Check for a bogus link to avoid crashing.  */
 	if ((hdr->sh_link >= SHN_LORESERVE && hdr->sh_link <= SHN_HIRESERVE)
 	    || hdr->sh_link >= num_sec)
@@ -2004,10 +2010,10 @@ bfd_section_from_shdr (bfd *abfd, unsigned int shindex)
 	  return _bfd_elf_make_section_from_shdr (abfd, hdr, name,
 						  shindex);
 
-        /* Prevent endless recursion on broken objects.  */
-        if (elf_elfsections (abfd)[hdr->sh_info]->sh_type == SHT_REL
-            || elf_elfsections (abfd)[hdr->sh_info]->sh_type == SHT_RELA)
-          return FALSE;
+	/* Prevent endless recursion on broken objects.  */
+	if (elf_elfsections (abfd)[hdr->sh_info]->sh_type == SHT_REL
+	    || elf_elfsections (abfd)[hdr->sh_info]->sh_type == SHT_RELA)
+	  return FALSE;
 	if (! bfd_section_from_shdr (abfd, hdr->sh_info))
 	  return FALSE;
 	target_sect = bfd_section_from_elf_index (abfd, hdr->sh_info);
@@ -2047,6 +2053,8 @@ bfd_section_from_shdr (bfd *abfd, unsigned int shindex)
       break;
 
     case SHT_GNU_versym:
+      if (hdr->sh_entsize != sizeof (Elf_External_Versym))
+	return FALSE;
       elf_dynversym (abfd) = shindex;
       elf_tdata (abfd)->dynversym_hdr = *hdr;
       return _bfd_elf_make_section_from_shdr (abfd, hdr, name, shindex);
@@ -2065,6 +2073,8 @@ bfd_section_from_shdr (bfd *abfd, unsigned int shindex)
       /* We need a BFD section for objcopy and relocatable linking,
 	 and it's handy to have the signature available as the section
 	 name.  */
+      if (hdr->sh_entsize != GRP_ENTRY_SIZE)
+	return FALSE;
       name = group_signature (abfd, hdr);
       if (name == NULL)
 	return FALSE;
diff --git a/bfd/peXXigen.c b/bfd/peXXigen.c
index 6597312adb..1be08466b2 100644
--- a/bfd/peXXigen.c
+++ b/bfd/peXXigen.c
@@ -1103,7 +1103,7 @@ pe_print_idata (bfd * abfd, void * vfile)
       bfd_vma toc_address;
       bfd_vma start_address;
       bfd_byte *data;
-      int offset;
+      bfd_vma offset;
 
       if (!bfd_malloc_and_get_section (abfd, rel_section, &data))
 	{
@@ -1114,6 +1114,13 @@ pe_print_idata (bfd * abfd, void * vfile)
 
       offset = abfd->start_address - rel_section->vma;
 
+      if (offset >= rel_section->size || offset + 8 > rel_section->size)
+        {
+          if (data != NULL)
+            free (data);
+          return FALSE;
+        }
+
       start_address = bfd_get_32 (abfd, data + offset);
       loadable_toc_address = bfd_get_32 (abfd, data + offset + 4);
       toc_address = loadable_toc_address - 32768;
@@ -1182,6 +1189,9 @@ pe_print_idata (bfd * abfd, void * vfile)
       if (hint_addr == 0 && first_thunk == 0)
 	break;
 
+      if (dll_name - adj >= section->size)
+        break;
+
       dll = (char *) data + dll_name - adj;
       fprintf (file, _("\n\tDLL Name: %s\n"), dll);
 
-- 
2.11.0