Blame SOURCES/binutils-CVE-2018-1000876.patch

43c6b8
diff -rup binutils.orig/bfd/aoutx.h binutils-2.27/bfd/aoutx.h
43c6b8
--- binutils.orig/bfd/aoutx.h	2019-01-14 16:10:59.344958851 +0000
43c6b8
+++ binutils-2.27/bfd/aoutx.h	2019-01-14 16:11:46.893598783 +0000
43c6b8
@@ -118,6 +118,7 @@ DESCRIPTION
43c6b8
 #define KEEPIT udata.i
43c6b8
 
43c6b8
 #include "sysdep.h"
43c6b8
+#include <limits.h>
43c6b8
 #include "bfd.h"
43c6b8
 #include "safe-ctype.h"
43c6b8
 #include "bfdlink.h"
43c6b8
@@ -2465,6 +2466,8 @@ NAME (aout, canonicalize_reloc) (bfd *ab
43c6b8
 long
43c6b8
 NAME (aout, get_reloc_upper_bound) (bfd *abfd, sec_ptr asect)
43c6b8
 {
43c6b8
+  bfd_size_type count;
43c6b8
+
43c6b8
   if (bfd_get_format (abfd) != bfd_object)
43c6b8
     {
43c6b8
       bfd_set_error (bfd_error_invalid_operation);
43c6b8
@@ -2472,26 +2475,25 @@ NAME (aout, get_reloc_upper_bound) (bfd
43c6b8
     }
43c6b8
 
43c6b8
   if (asect->flags & SEC_CONSTRUCTOR)
43c6b8
-    return sizeof (arelent *) * (asect->reloc_count + 1);
43c6b8
-
43c6b8
-  if (asect == obj_datasec (abfd))
43c6b8
-    return sizeof (arelent *)
43c6b8
-      * ((exec_hdr (abfd)->a_drsize / obj_reloc_entry_size (abfd))
43c6b8
-	 + 1);
43c6b8
-
43c6b8
-  if (asect == obj_textsec (abfd))
43c6b8
-    return sizeof (arelent *)
43c6b8
-      * ((exec_hdr (abfd)->a_trsize / obj_reloc_entry_size (abfd))
43c6b8
-	 + 1);
43c6b8
-
43c6b8
-  if (asect == obj_bsssec (abfd))
43c6b8
-    return sizeof (arelent *);
43c6b8
-
43c6b8
-  if (asect == obj_bsssec (abfd))
43c6b8
-    return 0;
43c6b8
+    count = asect->reloc_count;
43c6b8
+  else if (asect == obj_datasec (abfd))
43c6b8
+    count = exec_hdr (abfd)->a_drsize / obj_reloc_entry_size (abfd);
43c6b8
+  else if (asect == obj_textsec (abfd))
43c6b8
+    count = exec_hdr (abfd)->a_trsize / obj_reloc_entry_size (abfd);
43c6b8
+  else if (asect == obj_bsssec (abfd))
43c6b8
+    count = 0;
43c6b8
+  else
43c6b8
+    {
43c6b8
+      bfd_set_error (bfd_error_invalid_operation);
43c6b8
+      return -1;
43c6b8
+    }
43c6b8
 
43c6b8
-  bfd_set_error (bfd_error_invalid_operation);
43c6b8
-  return -1;
43c6b8
+  if (count >= LONG_MAX / sizeof (arelent *))
43c6b8
+    {
43c6b8
+      bfd_set_error (bfd_error_file_too_big);
43c6b8
+      return -1;
43c6b8
+    }
43c6b8
+  return (count + 1) * sizeof (arelent *);
43c6b8
 }
43c6b8
 
43c6b8
 long
43c6b8
diff -rup binutils.orig/bfd/elf.c binutils-2.27/bfd/elf.c
43c6b8
--- binutils.orig/bfd/elf.c	2019-01-14 16:10:59.331958950 +0000
43c6b8
+++ binutils-2.27/bfd/elf.c	2019-01-14 16:11:52.525556135 +0000
43c6b8
@@ -35,6 +35,7 @@ SECTION
43c6b8
 /* For sparc64-cross-sparc32.  */
43c6b8
 #define _SYSCALL32
43c6b8
 #include "sysdep.h"
43c6b8
+#include <limits.h>
43c6b8
 #include "bfd.h"
43c6b8
 #include "bfdlink.h"
43c6b8
 #include "libbfd.h"
43c6b8
@@ -7769,11 +7770,16 @@ Unable to find equivalent output section
43c6b8
 long
43c6b8
 _bfd_elf_get_symtab_upper_bound (bfd *abfd)
43c6b8
 {
43c6b8
-  long symcount;
43c6b8
+  bfd_size_type symcount;
43c6b8
   long symtab_size;
43c6b8
   Elf_Internal_Shdr *hdr = &elf_tdata (abfd)->symtab_hdr;
43c6b8
 
43c6b8
   symcount = hdr->sh_size / get_elf_backend_data (abfd)->s->sizeof_sym;
43c6b8
+  if (symcount >= LONG_MAX / sizeof (asymbol *))
43c6b8
+    {
43c6b8
+      bfd_set_error (bfd_error_file_too_big);
43c6b8
+      return -1;
43c6b8
+    }
43c6b8
   symtab_size = (symcount + 1) * (sizeof (asymbol *));
43c6b8
   if (symcount > 0)
43c6b8
     symtab_size -= sizeof (asymbol *);
43c6b8
@@ -7784,7 +7790,7 @@ _bfd_elf_get_symtab_upper_bound (bfd *ab
43c6b8
 long
43c6b8
 _bfd_elf_get_dynamic_symtab_upper_bound (bfd *abfd)
43c6b8
 {
43c6b8
-  long symcount;
43c6b8
+  bfd_size_type symcount;
43c6b8
   long symtab_size;
43c6b8
   Elf_Internal_Shdr *hdr = &elf_tdata (abfd)->dynsymtab_hdr;
43c6b8
 
43c6b8
@@ -7795,6 +7801,11 @@ _bfd_elf_get_dynamic_symtab_upper_bound
43c6b8
     }
43c6b8
 
43c6b8
   symcount = hdr->sh_size / get_elf_backend_data (abfd)->s->sizeof_sym;
43c6b8
+  if (symcount >= LONG_MAX / sizeof (asymbol *))
43c6b8
+    {
43c6b8
+      bfd_set_error (bfd_error_file_too_big);
43c6b8
+      return -1;
43c6b8
+    }
43c6b8
   symtab_size = (symcount + 1) * (sizeof (asymbol *));
43c6b8
   if (symcount > 0)
43c6b8
     symtab_size -= sizeof (asymbol *);
43c6b8
@@ -7864,7 +7875,7 @@ _bfd_elf_canonicalize_dynamic_symtab (bf
43c6b8
 long
43c6b8
 _bfd_elf_get_dynamic_reloc_upper_bound (bfd *abfd)
43c6b8
 {
43c6b8
-  long ret;
43c6b8
+  bfd_size_type count;
43c6b8
   asection *s;
43c6b8
 
43c6b8
   if (elf_dynsymtab (abfd) == 0)
43c6b8
@@ -7873,15 +7884,20 @@ _bfd_elf_get_dynamic_reloc_upper_bound (
43c6b8
       return -1;
43c6b8
     }
43c6b8
 
43c6b8
-  ret = sizeof (arelent *);
43c6b8
+  count = 1;
43c6b8
   for (s = abfd->sections; s != NULL; s = s->next)
43c6b8
     if (elf_section_data (s)->this_hdr.sh_link == elf_dynsymtab (abfd)
43c6b8
 	&& (elf_section_data (s)->this_hdr.sh_type == SHT_REL
43c6b8
 	    || elf_section_data (s)->this_hdr.sh_type == SHT_RELA))
43c6b8
-      ret += ((s->size / elf_section_data (s)->this_hdr.sh_entsize)
43c6b8
-	      * sizeof (arelent *));
43c6b8
-
43c6b8
-  return ret;
43c6b8
+      {
43c6b8
+	count += s->size / elf_section_data (s)->this_hdr.sh_entsize;
43c6b8
+	if (count > LONG_MAX / sizeof (arelent *))
43c6b8
+	  {
43c6b8
+	    bfd_set_error (bfd_error_file_too_big);
43c6b8
+	    return -1;
43c6b8
+	  }
43c6b8
+      }
43c6b8
+  return count * sizeof (arelent *);
43c6b8
 }
43c6b8
 
43c6b8
 /* Canonicalize the dynamic relocation entries.  Note that we return the
43c6b8