1 |
tamiko 17/06/07 14:44:23 |
2 |
|
3 |
Modified: README.history |
4 |
Added: 00_all_0018-CVE-2017-6965.patch |
5 |
00_all_0019-CVE-2017-6966.patch |
6 |
00_all_0020-CVE-2017-6969.patch |
7 |
Log: |
8 |
binutils-2.28: Update to patchset 1.2 |
9 |
|
10 |
Revision Changes Path |
11 |
1.3 src/patchsets/binutils/2.28/README.history |
12 |
|
13 |
file : http://sources.gentoo.org/viewvc.cgi/gentoo/src/patchsets/binutils/2.28/README.history?rev=1.3&view=markup |
14 |
plain: http://sources.gentoo.org/viewvc.cgi/gentoo/src/patchsets/binutils/2.28/README.history?rev=1.3&content-type=text/plain |
15 |
diff : http://sources.gentoo.org/viewvc.cgi/gentoo/src/patchsets/binutils/2.28/README.history?r1=1.2&r2=1.3 |
16 |
|
17 |
Index: README.history |
18 |
=================================================================== |
19 |
RCS file: /var/cvsroot/gentoo/src/patchsets/binutils/2.28/README.history,v |
20 |
retrieving revision 1.2 |
21 |
retrieving revision 1.3 |
22 |
diff -u -r1.2 -r1.3 |
23 |
--- README.history 6 Jun 2017 22:17:49 -0000 1.2 |
24 |
+++ README.history 7 Jun 2017 14:44:23 -0000 1.3 |
25 |
@@ -1,3 +1,8 @@ |
26 |
+1.2 07 Jun 2017 |
27 |
+ + 00_all_0018-CVE-2017-6965.patch |
28 |
+ + 00_all_0019-CVE-2017-6966.patch |
29 |
+ + 00_all_0020-CVE-2017-6969.patch |
30 |
+ |
31 |
1.1 06 Jun 2017 |
32 |
+ 00_all_0007-CVE-2017-8398.patch |
33 |
+ 00_all_0008-CVE-2017-8393.patch |
34 |
|
35 |
|
36 |
|
37 |
1.1 src/patchsets/binutils/2.28/00_all_0018-CVE-2017-6965.patch |
38 |
|
39 |
file : http://sources.gentoo.org/viewvc.cgi/gentoo/src/patchsets/binutils/2.28/00_all_0018-CVE-2017-6965.patch?rev=1.1&view=markup |
40 |
plain: http://sources.gentoo.org/viewvc.cgi/gentoo/src/patchsets/binutils/2.28/00_all_0018-CVE-2017-6965.patch?rev=1.1&content-type=text/plain |
41 |
|
42 |
Index: 00_all_0018-CVE-2017-6965.patch |
43 |
=================================================================== |
44 |
From 00e45d8e07536e7eee850f00a6101011e7088171 Mon Sep 17 00:00:00 2001 |
45 |
From: Matthias Maier <tamiko@××××.org> |
46 |
Date: Wed, 7 Jun 2017 09:29:37 -0500 |
47 |
Subject: [PATCH 1/3] CVE-2017-6965 |
48 |
|
49 |
[PATCH] Fix readelf writing to illegal addresses whilst processing corrupt input files containing symbol-difference relocations. |
50 |
|
51 |
[1] https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=03f7786e2f440b9892b1c34a58fb26222ce1b493 |
52 |
[2] https://bugs.gentoo.org/show_bug.cgi?id=621130 |
53 |
--- |
54 |
binutils/readelf.c | 30 +++++++++++++++++++++++++----- |
55 |
1 file changed, 25 insertions(+), 5 deletions(-) |
56 |
|
57 |
diff --git a/binutils/readelf.c b/binutils/readelf.c |
58 |
index 5507663..7a908a1 100644 |
59 |
--- a/binutils/readelf.c |
60 |
+++ b/binutils/readelf.c |
61 |
@@ -11600,6 +11600,7 @@ process_syminfo (FILE * file ATTRIBUTE_UNUSED) |
62 |
static bfd_boolean |
63 |
target_specific_reloc_handling (Elf_Internal_Rela * reloc, |
64 |
unsigned char * start, |
65 |
+ unsigned char * end, |
66 |
Elf_Internal_Sym * symtab) |
67 |
{ |
68 |
unsigned int reloc_type = get_reloc_type (reloc->r_info); |
69 |
@@ -11640,13 +11641,19 @@ target_specific_reloc_handling (Elf_Internal_Rela * reloc, |
70 |
handle_sym_diff: |
71 |
if (saved_sym != NULL) |
72 |
{ |
73 |
+ int reloc_size = reloc_type == 1 ? 4 : 2; |
74 |
bfd_vma value; |
75 |
|
76 |
value = reloc->r_addend |
77 |
+ (symtab[get_reloc_symindex (reloc->r_info)].st_value |
78 |
- saved_sym->st_value); |
79 |
|
80 |
- byte_put (start + reloc->r_offset, value, reloc_type == 1 ? 4 : 2); |
81 |
+ if (start + reloc->r_offset + reloc_size >= end) |
82 |
+ /* PR 21137 */ |
83 |
+ error (_("MSP430 sym diff reloc writes past end of section (%p vs %p)\n"), |
84 |
+ start + reloc->r_offset + reloc_size, end); |
85 |
+ else |
86 |
+ byte_put (start + reloc->r_offset, value, reloc_size); |
87 |
|
88 |
saved_sym = NULL; |
89 |
return TRUE; |
90 |
@@ -11677,13 +11684,18 @@ target_specific_reloc_handling (Elf_Internal_Rela * reloc, |
91 |
case 2: /* R_MN10300_16 */ |
92 |
if (saved_sym != NULL) |
93 |
{ |
94 |
+ int reloc_size = reloc_type == 1 ? 4 : 2; |
95 |
bfd_vma value; |
96 |
|
97 |
value = reloc->r_addend |
98 |
+ (symtab[get_reloc_symindex (reloc->r_info)].st_value |
99 |
- saved_sym->st_value); |
100 |
|
101 |
- byte_put (start + reloc->r_offset, value, reloc_type == 1 ? 4 : 2); |
102 |
+ if (start + reloc->r_offset + reloc_size >= end) |
103 |
+ error (_("MN10300 sym diff reloc writes past end of section (%p vs %p)\n"), |
104 |
+ start + reloc->r_offset + reloc_size, end); |
105 |
+ else |
106 |
+ byte_put (start + reloc->r_offset, value, reloc_size); |
107 |
|
108 |
saved_sym = NULL; |
109 |
return TRUE; |
110 |
@@ -11718,12 +11730,20 @@ target_specific_reloc_handling (Elf_Internal_Rela * reloc, |
111 |
break; |
112 |
|
113 |
case 0x41: /* R_RL78_ABS32. */ |
114 |
- byte_put (start + reloc->r_offset, value, 4); |
115 |
+ if (start + reloc->r_offset + 4 >= end) |
116 |
+ error (_("RL78 sym diff reloc writes past end of section (%p vs %p)\n"), |
117 |
+ start + reloc->r_offset + 2, end); |
118 |
+ else |
119 |
+ byte_put (start + reloc->r_offset, value, 4); |
120 |
value = 0; |
121 |
return TRUE; |
122 |
|
123 |
case 0x43: /* R_RL78_ABS16. */ |
124 |
- byte_put (start + reloc->r_offset, value, 2); |
125 |
+ if (start + reloc->r_offset + 2 >= end) |
126 |
+ error (_("RL78 sym diff reloc writes past end of section (%p vs %p)\n"), |
127 |
+ start + reloc->r_offset + 2, end); |
128 |
+ else |
129 |
+ byte_put (start + reloc->r_offset, value, 2); |
130 |
value = 0; |
131 |
return TRUE; |
132 |
|
133 |
@@ -12340,7 +12360,7 @@ apply_relocations (void * file, |
134 |
|
135 |
reloc_type = get_reloc_type (rp->r_info); |
136 |
|
137 |
- if (target_specific_reloc_handling (rp, start, symtab)) |
138 |
+ if (target_specific_reloc_handling (rp, start, end, symtab)) |
139 |
continue; |
140 |
else if (is_none_reloc (reloc_type)) |
141 |
continue; |
142 |
-- |
143 |
2.13.0 |
144 |
|
145 |
|
146 |
|
147 |
|
148 |
1.1 src/patchsets/binutils/2.28/00_all_0019-CVE-2017-6966.patch |
149 |
|
150 |
file : http://sources.gentoo.org/viewvc.cgi/gentoo/src/patchsets/binutils/2.28/00_all_0019-CVE-2017-6966.patch?rev=1.1&view=markup |
151 |
plain: http://sources.gentoo.org/viewvc.cgi/gentoo/src/patchsets/binutils/2.28/00_all_0019-CVE-2017-6966.patch?rev=1.1&content-type=text/plain |
152 |
|
153 |
Index: 00_all_0019-CVE-2017-6966.patch |
154 |
=================================================================== |
155 |
From f25ff3ce9735df03fcbe7ecc1897cf8e0de4b6ae Mon Sep 17 00:00:00 2001 |
156 |
From: Matthias Maier <tamiko@××××.org> |
157 |
Date: Wed, 7 Jun 2017 09:31:53 -0500 |
158 |
Subject: [PATCH 2/3] CVE-2017-6966 |
159 |
|
160 |
[PATCH] Fix read-after-free error in readelf when processing multiple, relocated sections in an MSP430 binary. |
161 |
|
162 |
[1] https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=f84ce13b6708801ca1d6289b7c4003e2f5a6d7f9 |
163 |
[2] https://bugs.gentoo.org/show_bug.cgi?id=621130 |
164 |
--- |
165 |
binutils/readelf.c | 109 +++++++++++++++++++++++++++++++++++++++++------------ |
166 |
1 file changed, 84 insertions(+), 25 deletions(-) |
167 |
|
168 |
diff --git a/binutils/readelf.c b/binutils/readelf.c |
169 |
index 7a908a1..fd23b6b 100644 |
170 |
--- a/binutils/readelf.c |
171 |
+++ b/binutils/readelf.c |
172 |
@@ -11595,15 +11595,27 @@ process_syminfo (FILE * file ATTRIBUTE_UNUSED) |
173 |
|
174 |
/* Check to see if the given reloc needs to be handled in a target specific |
175 |
manner. If so then process the reloc and return TRUE otherwise return |
176 |
- FALSE. */ |
177 |
+ FALSE. |
178 |
+ |
179 |
+ If called with reloc == NULL, then this is a signal that reloc processing |
180 |
+ for the current section has finished, and any saved state should be |
181 |
+ discarded. */ |
182 |
|
183 |
static bfd_boolean |
184 |
target_specific_reloc_handling (Elf_Internal_Rela * reloc, |
185 |
unsigned char * start, |
186 |
unsigned char * end, |
187 |
- Elf_Internal_Sym * symtab) |
188 |
+ Elf_Internal_Sym * symtab, |
189 |
+ unsigned long num_syms) |
190 |
{ |
191 |
- unsigned int reloc_type = get_reloc_type (reloc->r_info); |
192 |
+ unsigned int reloc_type = 0; |
193 |
+ unsigned long sym_index = 0; |
194 |
+ |
195 |
+ if (reloc) |
196 |
+ { |
197 |
+ reloc_type = get_reloc_type (reloc->r_info); |
198 |
+ sym_index = get_reloc_symindex (reloc->r_info); |
199 |
+ } |
200 |
|
201 |
switch (elf_header.e_machine) |
202 |
{ |
203 |
@@ -11612,6 +11624,12 @@ target_specific_reloc_handling (Elf_Internal_Rela * reloc, |
204 |
{ |
205 |
static Elf_Internal_Sym * saved_sym = NULL; |
206 |
|
207 |
+ if (reloc == NULL) |
208 |
+ { |
209 |
+ saved_sym = NULL; |
210 |
+ return TRUE; |
211 |
+ } |
212 |
+ |
213 |
switch (reloc_type) |
214 |
{ |
215 |
case 10: /* R_MSP430_SYM_DIFF */ |
216 |
@@ -11619,7 +11637,12 @@ target_specific_reloc_handling (Elf_Internal_Rela * reloc, |
217 |
break; |
218 |
/* Fall through. */ |
219 |
case 21: /* R_MSP430X_SYM_DIFF */ |
220 |
- saved_sym = symtab + get_reloc_symindex (reloc->r_info); |
221 |
+ /* PR 21139. */ |
222 |
+ if (sym_index >= num_syms) |
223 |
+ error (_("MSP430 SYM_DIFF reloc contains invalid symbol index %lu\n"), |
224 |
+ sym_index); |
225 |
+ else |
226 |
+ saved_sym = symtab + sym_index; |
227 |
return TRUE; |
228 |
|
229 |
case 1: /* R_MSP430_32 or R_MSP430_ABS32 */ |
230 |
@@ -11644,16 +11667,21 @@ target_specific_reloc_handling (Elf_Internal_Rela * reloc, |
231 |
int reloc_size = reloc_type == 1 ? 4 : 2; |
232 |
bfd_vma value; |
233 |
|
234 |
- value = reloc->r_addend |
235 |
- + (symtab[get_reloc_symindex (reloc->r_info)].st_value |
236 |
- - saved_sym->st_value); |
237 |
- |
238 |
- if (start + reloc->r_offset + reloc_size >= end) |
239 |
- /* PR 21137 */ |
240 |
- error (_("MSP430 sym diff reloc writes past end of section (%p vs %p)\n"), |
241 |
- start + reloc->r_offset + reloc_size, end); |
242 |
+ if (sym_index >= num_syms) |
243 |
+ error (_("MSP430 reloc contains invalid symbol index %lu\n"), |
244 |
+ sym_index); |
245 |
else |
246 |
- byte_put (start + reloc->r_offset, value, reloc_size); |
247 |
+ { |
248 |
+ value = reloc->r_addend + (symtab[sym_index].st_value |
249 |
+ - saved_sym->st_value); |
250 |
+ |
251 |
+ if (start + reloc->r_offset + reloc_size >= end) |
252 |
+ /* PR 21137 */ |
253 |
+ error (_("MSP430 sym diff reloc writes past end of section (%p vs %p)\n"), |
254 |
+ start + reloc->r_offset + reloc_size, end); |
255 |
+ else |
256 |
+ byte_put (start + reloc->r_offset, value, reloc_size); |
257 |
+ } |
258 |
|
259 |
saved_sym = NULL; |
260 |
return TRUE; |
261 |
@@ -11673,13 +11701,24 @@ target_specific_reloc_handling (Elf_Internal_Rela * reloc, |
262 |
{ |
263 |
static Elf_Internal_Sym * saved_sym = NULL; |
264 |
|
265 |
+ if (reloc == NULL) |
266 |
+ { |
267 |
+ saved_sym = NULL; |
268 |
+ return TRUE; |
269 |
+ } |
270 |
+ |
271 |
switch (reloc_type) |
272 |
{ |
273 |
case 34: /* R_MN10300_ALIGN */ |
274 |
return TRUE; |
275 |
case 33: /* R_MN10300_SYM_DIFF */ |
276 |
- saved_sym = symtab + get_reloc_symindex (reloc->r_info); |
277 |
+ if (sym_index >= num_syms) |
278 |
+ error (_("MN10300_SYM_DIFF reloc contains invalid symbol index %lu\n"), |
279 |
+ sym_index); |
280 |
+ else |
281 |
+ saved_sym = symtab + sym_index; |
282 |
return TRUE; |
283 |
+ |
284 |
case 1: /* R_MN10300_32 */ |
285 |
case 2: /* R_MN10300_16 */ |
286 |
if (saved_sym != NULL) |
287 |
@@ -11687,15 +11726,20 @@ target_specific_reloc_handling (Elf_Internal_Rela * reloc, |
288 |
int reloc_size = reloc_type == 1 ? 4 : 2; |
289 |
bfd_vma value; |
290 |
|
291 |
- value = reloc->r_addend |
292 |
- + (symtab[get_reloc_symindex (reloc->r_info)].st_value |
293 |
- - saved_sym->st_value); |
294 |
- |
295 |
- if (start + reloc->r_offset + reloc_size >= end) |
296 |
- error (_("MN10300 sym diff reloc writes past end of section (%p vs %p)\n"), |
297 |
- start + reloc->r_offset + reloc_size, end); |
298 |
+ if (sym_index >= num_syms) |
299 |
+ error (_("MN10300 reloc contains invalid symbol index %lu\n"), |
300 |
+ sym_index); |
301 |
else |
302 |
- byte_put (start + reloc->r_offset, value, reloc_size); |
303 |
+ { |
304 |
+ value = reloc->r_addend + (symtab[sym_index].st_value |
305 |
+ - saved_sym->st_value); |
306 |
+ |
307 |
+ if (start + reloc->r_offset + reloc_size >= end) |
308 |
+ error (_("MN10300 sym diff reloc writes past end of section (%p vs %p)\n"), |
309 |
+ start + reloc->r_offset + reloc_size, end); |
310 |
+ else |
311 |
+ byte_put (start + reloc->r_offset, value, reloc_size); |
312 |
+ } |
313 |
|
314 |
saved_sym = NULL; |
315 |
return TRUE; |
316 |
@@ -11715,12 +11759,24 @@ target_specific_reloc_handling (Elf_Internal_Rela * reloc, |
317 |
static bfd_vma saved_sym2 = 0; |
318 |
static bfd_vma value; |
319 |
|
320 |
+ if (reloc == NULL) |
321 |
+ { |
322 |
+ saved_sym1 = saved_sym2 = 0; |
323 |
+ return TRUE; |
324 |
+ } |
325 |
+ |
326 |
switch (reloc_type) |
327 |
{ |
328 |
case 0x80: /* R_RL78_SYM. */ |
329 |
saved_sym1 = saved_sym2; |
330 |
- saved_sym2 = symtab[get_reloc_symindex (reloc->r_info)].st_value; |
331 |
- saved_sym2 += reloc->r_addend; |
332 |
+ if (sym_index >= num_syms) |
333 |
+ error (_("RL78_SYM reloc contains invalid symbol index %lu\n"), |
334 |
+ sym_index); |
335 |
+ else |
336 |
+ { |
337 |
+ saved_sym2 = symtab[sym_index].st_value; |
338 |
+ saved_sym2 += reloc->r_addend; |
339 |
+ } |
340 |
return TRUE; |
341 |
|
342 |
case 0x83: /* R_RL78_OPsub. */ |
343 |
@@ -12360,7 +12416,7 @@ apply_relocations (void * file, |
344 |
|
345 |
reloc_type = get_reloc_type (rp->r_info); |
346 |
|
347 |
- if (target_specific_reloc_handling (rp, start, end, symtab)) |
348 |
+ if (target_specific_reloc_handling (rp, start, end, symtab, num_syms)) |
349 |
continue; |
350 |
else if (is_none_reloc (reloc_type)) |
351 |
continue; |
352 |
@@ -12456,6 +12512,9 @@ apply_relocations (void * file, |
353 |
} |
354 |
|
355 |
free (symtab); |
356 |
+ /* Let the target specific reloc processing code know that |
357 |
+ we have finished with these relocs. */ |
358 |
+ target_specific_reloc_handling (NULL, NULL, NULL, NULL, 0); |
359 |
|
360 |
if (relocs_return) |
361 |
{ |
362 |
-- |
363 |
2.13.0 |
364 |
|
365 |
|
366 |
|
367 |
|
368 |
1.1 src/patchsets/binutils/2.28/00_all_0020-CVE-2017-6969.patch |
369 |
|
370 |
file : http://sources.gentoo.org/viewvc.cgi/gentoo/src/patchsets/binutils/2.28/00_all_0020-CVE-2017-6969.patch?rev=1.1&view=markup |
371 |
plain: http://sources.gentoo.org/viewvc.cgi/gentoo/src/patchsets/binutils/2.28/00_all_0020-CVE-2017-6969.patch?rev=1.1&content-type=text/plain |
372 |
|
373 |
Index: 00_all_0020-CVE-2017-6969.patch |
374 |
=================================================================== |
375 |
From bb8c412a9450141286bf4eef04b14fe47bbc364f Mon Sep 17 00:00:00 2001 |
376 |
From: Matthias Maier <tamiko@××××.org> |
377 |
Date: Wed, 7 Jun 2017 09:35:35 -0500 |
378 |
Subject: [PATCH 3/3] CVE-2017-6969 |
379 |
|
380 |
[PATCH] Fix illegal memory accesses in readelf when parsing a corrupt binary. |
381 |
[PATCH] Fix another memory access error in readelf when parsing a corrupt binary. |
382 |
|
383 |
[1] https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=b814a36d3440de95f2ac6eaa4fc7935c322ea456 |
384 |
https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=43a444f9c5bfd44b4304eafd78338e21d54bea14 |
385 |
[2] https://bugs.gentoo.org/show_bug.cgi?id=621130 |
386 |
--- |
387 |
binutils/dwarf.c | 34 ++++++++++++++++++++-------------- |
388 |
binutils/readelf.c | 10 ++++++++-- |
389 |
2 files changed, 28 insertions(+), 16 deletions(-) |
390 |
|
391 |
diff --git a/binutils/dwarf.c b/binutils/dwarf.c |
392 |
index 05efa6e..3312bc5 100644 |
393 |
--- a/binutils/dwarf.c |
394 |
+++ b/binutils/dwarf.c |
395 |
@@ -76,7 +76,6 @@ int dwarf_check = 0; |
396 |
as a zero-terminated list of section indexes comprising one set of debug |
397 |
sections from a .dwo file. */ |
398 |
|
399 |
-static int cu_tu_indexes_read = 0; |
400 |
static unsigned int *shndx_pool = NULL; |
401 |
static unsigned int shndx_pool_size = 0; |
402 |
static unsigned int shndx_pool_used = 0; |
403 |
@@ -99,7 +98,7 @@ static int tu_count = 0; |
404 |
static struct cu_tu_set *cu_sets = NULL; |
405 |
static struct cu_tu_set *tu_sets = NULL; |
406 |
|
407 |
-static void load_cu_tu_indexes (void *file); |
408 |
+static bfd_boolean load_cu_tu_indexes (void *); |
409 |
|
410 |
/* Values for do_debug_lines. */ |
411 |
#define FLAG_DEBUG_LINES_RAW 1 |
412 |
@@ -2739,7 +2738,7 @@ load_debug_info (void * file) |
413 |
return num_debug_info_entries; |
414 |
|
415 |
/* If this is a DWARF package file, load the CU and TU indexes. */ |
416 |
- load_cu_tu_indexes (file); |
417 |
+ (void) load_cu_tu_indexes (file); |
418 |
|
419 |
if (load_debug_section (info, file) |
420 |
&& process_debug_info (&debug_displays [info].section, file, abbrev, 1, 0)) |
421 |
@@ -7402,21 +7401,27 @@ process_cu_tu_index (struct dwarf_section *section, int do_display) |
422 |
section sets that we can use to associate a .debug_info.dwo section |
423 |
with its associated .debug_abbrev.dwo section in a .dwp file. */ |
424 |
|
425 |
-static void |
426 |
+static bfd_boolean |
427 |
load_cu_tu_indexes (void *file) |
428 |
{ |
429 |
+ static int cu_tu_indexes_read = -1; /* Tri-state variable. */ |
430 |
+ |
431 |
/* If we have already loaded (or tried to load) the CU and TU indexes |
432 |
then do not bother to repeat the task. */ |
433 |
- if (cu_tu_indexes_read) |
434 |
- return; |
435 |
- |
436 |
- if (load_debug_section (dwp_cu_index, file)) |
437 |
- process_cu_tu_index (&debug_displays [dwp_cu_index].section, 0); |
438 |
- |
439 |
- if (load_debug_section (dwp_tu_index, file)) |
440 |
- process_cu_tu_index (&debug_displays [dwp_tu_index].section, 0); |
441 |
+ if (cu_tu_indexes_read == -1) |
442 |
+ { |
443 |
+ cu_tu_indexes_read = TRUE; |
444 |
+ |
445 |
+ if (load_debug_section (dwp_cu_index, file)) |
446 |
+ if (! process_cu_tu_index (&debug_displays [dwp_cu_index].section, 0)) |
447 |
+ cu_tu_indexes_read = FALSE; |
448 |
+ |
449 |
+ if (load_debug_section (dwp_tu_index, file)) |
450 |
+ if (! process_cu_tu_index (&debug_displays [dwp_tu_index].section, 0)) |
451 |
+ cu_tu_indexes_read = FALSE; |
452 |
+ } |
453 |
|
454 |
- cu_tu_indexes_read = 1; |
455 |
+ return (bfd_boolean) cu_tu_indexes_read; |
456 |
} |
457 |
|
458 |
/* Find the set of sections that includes section SHNDX. */ |
459 |
@@ -7426,7 +7431,8 @@ find_cu_tu_set (void *file, unsigned int shndx) |
460 |
{ |
461 |
unsigned int i; |
462 |
|
463 |
- load_cu_tu_indexes (file); |
464 |
+ if (! load_cu_tu_indexes (file)) |
465 |
+ return NULL; |
466 |
|
467 |
/* Find SHNDX in the shndx pool. */ |
468 |
for (i = 0; i < shndx_pool_used; i++) |
469 |
diff --git a/binutils/readelf.c b/binutils/readelf.c |
470 |
index fd23b6b..3950412 100644 |
471 |
--- a/binutils/readelf.c |
472 |
+++ b/binutils/readelf.c |
473 |
@@ -675,8 +675,14 @@ find_section_in_set (const char * name, unsigned int * set) |
474 |
if (set != NULL) |
475 |
{ |
476 |
while ((i = *set++) > 0) |
477 |
- if (streq (SECTION_NAME (section_headers + i), name)) |
478 |
- return section_headers + i; |
479 |
+ { |
480 |
+ /* See PR 21156 for a reproducer. */ |
481 |
+ if (i >= elf_header.e_shnum) |
482 |
+ continue; /* FIXME: Should we issue an error message ? */ |
483 |
+ |
484 |
+ if (streq (SECTION_NAME (section_headers + i), name)) |
485 |
+ return section_headers + i; |
486 |
+ } |
487 |
} |
488 |
|
489 |
return find_section (name); |
490 |
-- |
491 |
2.13.0 |