Fix buffer read overrun by ensuring that DWARF sections containing strings always end in a NUL byte.

PR 22047
	* dwarf2.c (read_section): If necessary add a terminating NUL byte
	to dwarf string sections.

bfd/ChangeLog

@@ -1,3 +1,9 @@
+2017-08-31  Nick Clifton  <nickc@redhat.com>
+
+	PR 22047
+	* dwarf2.c (read_section): If necessary add a terminating NUL byte
+	to dwarf string sections.
+
 2017-08-31  Alan Modra  <amodra@gmail.com>
 
 	* po/SRC-POTFILES.in: Regenerate.

bfd/dwarf2.c

@@ -566,6 +566,29 @@ read_section (bfd *           abfd,
 					  0, *section_size))
 	    return FALSE;
 	}
+
+      /* Paranoia - if we are reading in a string section, make sure that it
+	 is NUL terminated.  This is to prevent string functions from running
+	 off the end of the buffer.  Note - knowing the size of the buffer is
+	 not enough as some functions, eg strchr, do not have a range limited
+	 equivalent.
+
+	 FIXME: We ought to use a flag in the dwarf_debug_sections[] table to
+	 determine the nature of a debug section, rather than checking the
+	 section name as we do here.  */
+      if (*section_size > 0
+	  && (*section_buffer)[*section_size - 1] != 0
+	  && (strstr (section_name, "_str") || strstr (section_name, "names")))
+	{
+	  bfd_byte * new_buffer = malloc (*section_size + 1);
+
+	  _bfd_error_handler (_("warning: dwarf string section '%s' is not NUL terminated"),
+			      section_name);
+	  memcpy (new_buffer, *section_buffer, *section_size);
+	  new_buffer[*section_size] = 0;
+	  free (*section_buffer);
+	  *section_buffer = new_buffer;
+	}
     }
 
   /* It is possible to get a bad value for the offset into the section