Blame SOURCES/binutils-CVE-2021-3487.patch

bf7c0a
--- binutils.orig/bfd/dwarf2.c	2021-04-14 14:24:18.945917267 +0100
bf7c0a
+++ binutils-2.30/bfd/dwarf2.c	2021-04-14 14:25:51.908614106 +0100
bf7c0a
@@ -532,6 +532,10 @@ read_section (bfd *	      abfd,
bf7c0a
   /* The section may have already been read.  */
bf7c0a
   if (contents == NULL)
bf7c0a
     {
bf7c0a
+      bfd_size_type amt;
bf7c0a
+      asection *msec;
bf7c0a
+      ufile_ptr filesize;
bf7c0a
+
bf7c0a
       msec = bfd_get_section_by_name (abfd, section_name);
bf7c0a
       if (! msec)
bf7c0a
 	{
bf7c0a
@@ -547,10 +551,22 @@ read_section (bfd *	      abfd,
bf7c0a
 	  return FALSE;
bf7c0a
 	}
bf7c0a
 
bf7c0a
-      *section_size = msec->rawsize ? msec->rawsize : msec->size;
bf7c0a
+      amt = bfd_get_section_limit_octets (abfd, msec);
bf7c0a
+      filesize = bfd_get_file_size (abfd);
bf7c0a
+      if (amt >= filesize)
bf7c0a
+       {
bf7c0a
+         /* PR 26946 */
bf7c0a
+         _bfd_error_handler (_("DWARF error: section %s is larger than its filesize! (0x%lx vs 0x%lx)"),
bf7c0a
+                             section_name, (long) amt, (long) filesize);
bf7c0a
+         bfd_set_error (bfd_error_bad_value);
bf7c0a
+         return FALSE;
bf7c0a
+       }
bf7c0a
+      *section_size = amt;
bf7c0a
+
bf7c0a
       /* Paranoia - alloc one extra so that we can make sure a string
bf7c0a
 	 section is NUL terminated.  */
bf7c0a
-      amt = *section_size + 1;
bf7c0a
+      amt += 1;
bf7c0a
+
bf7c0a
       if (amt == 0)
bf7c0a
 	{
bf7c0a
 	  bfd_set_error (bfd_error_no_memory);