Fix illegal memory access when bfd_get_section_contents is called with a NULL section pointer.

PR 31843
2024-11-21 01:12:32 +08:00 · 2024-06-05 13:30:27 +01:00 · 2024-06-05 13:30:27 +01:00 · 2db414c36b
commit 2db414c36b
parent 3d7627c2d0
2 changed files with 41 additions and 10 deletions
--- a/bfd/section.c
+++ b/bfd/section.c
@ -1565,12 +1565,46 @@ bfd_get_section_contents (bfd *abfd,
 {
  bfd_size_type sz;

+  if (count == 0)
+    /* Don't bother.  */
+    return true;
+
+  if (section == NULL)
+    {
+      bfd_set_error (bfd_error_bad_value);
+      return false;
+    }
+
+  if (location == NULL)
+    {
+      if (section->mmapped_p)
+	{
+	  /* Pass this request straight on to the target's function.
+	     All of the code below assumes that location != NULL.
+	     FIXME: Should we still check that count is sane ?  */
+	  return BFD_SEND (abfd, _bfd_get_section_contents,
+			   (abfd, section, location, offset, count));
+	}
+
+      bfd_set_error (bfd_error_bad_value);
+      return false;
+    }
+
  if (section->flags & SEC_CONSTRUCTOR)
    {
      memset (location, 0, (size_t) count);
      return true;
    }

+  if ((section->flags & SEC_HAS_CONTENTS) == 0)
+    {
+      memset (location, 0, (size_t) count);
+      return true;
+    }
+
+  if (abfd == NULL)
+    return false;
+
  sz = bfd_get_section_limit_octets (abfd, section);
  if ((bfd_size_type) offset > sz
      || count > sz - offset
@ -1580,16 +1614,6 @@ bfd_get_section_contents (bfd *abfd,
      return false;
    }

-  if (count == 0)
-    /* Don't bother.  */
-    return true;
-
-  if ((section->flags & SEC_HAS_CONTENTS) == 0)
-    {
-      memset (location, 0, (size_t) count);
-      return true;
-    }
-
  if ((section->flags & SEC_IN_MEMORY) != 0)
    {
      if (section->contents == NULL)
--- a/opcodes/nfp-dis.c
+++ b/opcodes/nfp-dis.c
@ -2559,6 +2559,13 @@ init_nfp3200_priv (nfp_priv_data * priv, struct disassemble_info *dinfo)
      return false;
    }

+  if (sec->bfd_section == NULL)
+    {
+      /* See PR 31843 for an example of this.  */
+      dinfo->fprintf_func (dinfo->stream, _("The ME-Config section is corrupt."));
+      return false;
+    }
+
  for (roff = 0; (bfd_size_type) roff < sec->sh_size;
       roff += sec->sh_entsize, menum_linear++)
    {