Fix potential illegal memory access failures in the BFD library by en…

…suring that the return value from bfd_malloc() is checked before it is used.

	PR 25308
	* elf-properties.c (_bfd_elf_convert_gnu_properties): Check the
	return value from bfd_malloc.
	* elf32-arm.c (bfd_elf32_arm_vfp11_fix_veneer_locations): Likewise.
	(bfd_elf32_arm_stm32l4xx_fix_veneer_locations): Likewise.
	(elf32_arm_filter_cmse_symbols): Likewise.
	(elf32_arm_write_section): Likewise.
	* mach-o.c (bfd_mach_o_core_fetch_environment): Likewise.
	(bfd_mach_o_follow_dsym): Likewise.
	* pef.c (bfd_pef_print_loader_section): Likewise.
	(bfd_pef_scan_start_address): Likewise.
	(bfd_pef_parse_function_stubs): Likewise.
	(bfd_pef_parse_symbols): Likewise.

bfd/ChangeLog

@@ -1,3 +1,19 @@
+2020-01-03  Nick Clifton  <nickc@redhat.com>
+
+	PR 25308
+	* elf-properties.c (_bfd_elf_convert_gnu_properties): Check the
+	return value from bfd_malloc.
+	* elf32-arm.c (bfd_elf32_arm_vfp11_fix_veneer_locations): Likewise.
+	(bfd_elf32_arm_stm32l4xx_fix_veneer_locations): Likewise.
+	(elf32_arm_filter_cmse_symbols): Likewise.
+	(elf32_arm_write_section): Likewise.
+	* mach-o.c (bfd_mach_o_core_fetch_environment): Likewise.
+	(bfd_mach_o_follow_dsym): Likewise.
+	* pef.c (bfd_pef_print_loader_section): Likewise.
+	(bfd_pef_scan_start_address): Likewise.
+	(bfd_pef_parse_function_stubs): Likewise.
+	(bfd_pef_parse_symbols): Likewise.
+
 2020-01-03  Sergei Trofimovich  <siarheit@google.com>
 
         * elfnn-ia64.c (elfNN_ia64_merge_private_bfd_data): don't fail

bfd/elf-properties.c

@@ -703,6 +703,8 @@ _bfd_elf_convert_gnu_properties (bfd *ibfd, asection *isec,
   if (size > bfd_section_size (isec))
     {
       contents = (bfd_byte *) bfd_malloc (size);
+      if (contents == NULL)
+	return FALSE;
       free (*ptr);
       *ptr = contents;
     }

bfd/elf32-arm.c

@@ -7148,7 +7148,6 @@ find_arm_glue (struct bfd_link_info *link_info,
 
   tmp_name = (char *) bfd_malloc ((bfd_size_type) strlen (name)
 				  + strlen (ARM2THUMB_GLUE_ENTRY_NAME) + 1);
-
   BFD_ASSERT (tmp_name);
 
   sprintf (tmp_name, ARM2THUMB_GLUE_ENTRY_NAME, name);
@@ -7323,7 +7322,6 @@ record_arm_to_thumb_glue (struct bfd_link_info * link_info,
 
   tmp_name = (char *) bfd_malloc ((bfd_size_type) strlen (name)
 				  + strlen (ARM2THUMB_GLUE_ENTRY_NAME) + 1);
-
   BFD_ASSERT (tmp_name);
 
   sprintf (tmp_name, ARM2THUMB_GLUE_ENTRY_NAME, name);
@@ -7401,7 +7399,6 @@ record_arm_bx_glue (struct bfd_link_info * link_info, int reg)
   /* Add symbol for veneer.  */
   tmp_name = (char *)
       bfd_malloc ((bfd_size_type) strlen (ARM_BX_GLUE_ENTRY_NAME) + 1);
-
   BFD_ASSERT (tmp_name);
 
   sprintf (tmp_name, ARM_BX_GLUE_ENTRY_NAME, reg);
@@ -7493,7 +7490,6 @@ record_vfp11_erratum_veneer (struct bfd_link_info *link_info,
 
   tmp_name = (char *) bfd_malloc ((bfd_size_type) strlen
 				  (VFP11_ERRATUM_VENEER_ENTRY_NAME) + 10);
-
   BFD_ASSERT (tmp_name);
 
   sprintf (tmp_name, VFP11_ERRATUM_VENEER_ENTRY_NAME,
@@ -7613,7 +7609,6 @@ record_stm32l4xx_erratum_veneer (struct bfd_link_info *link_info,
 
   tmp_name = (char *) bfd_malloc ((bfd_size_type) strlen
 				  (STM32L4XX_ERRATUM_VENEER_ENTRY_NAME) + 10);
-
   BFD_ASSERT (tmp_name);
 
   sprintf (tmp_name, STM32L4XX_ERRATUM_VENEER_ENTRY_NAME,
@@ -8644,6 +8639,7 @@ bfd_elf32_arm_vfp11_fix_veneer_locations (bfd *abfd,
 
   tmp_name = (char *) bfd_malloc ((bfd_size_type) strlen
 				  (VFP11_ERRATUM_VENEER_ENTRY_NAME) + 10);
+  BFD_ASSERT (tmp_name);
 
   for (sec = abfd->sections; sec != NULL; sec = sec->next)
     {
@@ -8731,6 +8727,7 @@ bfd_elf32_arm_stm32l4xx_fix_veneer_locations (bfd *abfd,
 
   tmp_name = (char *) bfd_malloc ((bfd_size_type) strlen
 				  (STM32L4XX_ERRATUM_VENEER_ENTRY_NAME) + 10);
+  BFD_ASSERT (tmp_name);
 
   for (sec = abfd->sections; sec != NULL; sec = sec->next)
     {
@@ -18505,6 +18502,8 @@ elf32_arm_filter_cmse_symbols (bfd *abfd ATTRIBUTE_UNUSED,
 
   maxnamelen = 128;
   cmse_name = (char *) bfd_malloc (maxnamelen);
+  BFD_ASSERT (cmse_name);
+
   for (src_count = 0; src_count < symcount; src_count++)
     {
       struct elf32_arm_link_hash_entry *cmse_hash;
@@ -19700,6 +19699,8 @@ elf32_arm_write_section (bfd *output_bfd,
       unsigned int in_index, out_index;
       bfd_vma add_to_offsets = 0;
 
+      if (edited_contents == NULL)
+	return FALSE;
       for (in_index = 0, out_index = 0; in_index * 8 < input_size || edit_node;)
 	{
 	  if (edit_node)

bfd/mach-o.c

@@ -5752,6 +5752,8 @@ bfd_mach_o_core_fetch_environment (bfd *abfd,
 	  unsigned char *buf = bfd_malloc (1024);
 	  unsigned long size = 1024;
 
+	  if (buf == NULL)
+	    return -1;
 	  for (;;)
 	    {
 	      bfd_size_type nread = 0;
@@ -5797,6 +5799,8 @@ bfd_mach_o_core_fetch_environment (bfd *abfd,
 		      bottom = seg->fileoff + seg->filesize - offset;
 		      top = seg->fileoff + seg->filesize - 4;
 		      *rbuf = bfd_malloc (top - bottom);
+		      if (*rbuf == NULL)
+			return -1;
 		      *rlen = top - bottom;
 
 		      memcpy (*rbuf, buf + size - *rlen, *rlen);
@@ -5941,6 +5945,9 @@ bfd_mach_o_follow_dsym (bfd *abfd)
   dsym_filename = (char *)bfd_malloc (strlen (base_bfd->filename)
 				       + strlen (dsym_subdir) + 1
 				       + strlen (base_basename) + 1);
+  if (dsym_filename == NULL)
+    return NULL;
+
   sprintf (dsym_filename, "%s%s/%s",
 	   base_bfd->filename, dsym_subdir, base_basename);
 

bfd/pef.c

@@ -447,6 +447,8 @@ bfd_pef_print_loader_section (bfd *abfd, FILE *file)
 
   loaderlen = loadersec->size;
   loaderbuf = bfd_malloc (loaderlen);
+  if (loaderbuf == NULL)
+    return -1;
 
   if (bfd_seek (abfd, loadersec->filepos, SEEK_SET) < 0
       || bfd_bread ((void *) loaderbuf, loaderlen, abfd) != loaderlen
@@ -478,6 +480,9 @@ bfd_pef_scan_start_address (bfd *abfd)
 
   loaderlen = loadersec->size;
   loaderbuf = bfd_malloc (loaderlen);
+  if (loaderbuf == NULL)
+    goto end;
+
   if (bfd_seek (abfd, loadersec->filepos, SEEK_SET) < 0)
     goto error;
   if (bfd_bread ((void *) loaderbuf, loaderlen, abfd) != loaderlen)
@@ -753,6 +758,8 @@ bfd_pef_parse_function_stubs (bfd *abfd,
     (header.imported_library_count * sizeof (bfd_pef_imported_library));
   imports = bfd_malloc
     (header.total_imported_symbol_count * sizeof (bfd_pef_imported_symbol));
+  if (libraries == NULL || imports == NULL)
+    goto error;
 
   if (loaderlen < (56 + (header.imported_library_count * 24)))
     goto error;
@@ -897,6 +904,8 @@ bfd_pef_parse_symbols (bfd *abfd, asymbol **csym)
     {
       codelen = codesec->size;
       codebuf = bfd_malloc (codelen);
+      if (codebuf == NULL)
+	goto end;
       if (bfd_seek (abfd, codesec->filepos, SEEK_SET) < 0)
 	goto end;
       if (bfd_bread ((void *) codebuf, codelen, abfd) != codelen)
@@ -908,6 +917,8 @@ bfd_pef_parse_symbols (bfd *abfd, asymbol **csym)
     {
       loaderlen = loadersec->size;
       loaderbuf = bfd_malloc (loaderlen);
+      if (loaderbuf == NULL)
+	goto end;
       if (bfd_seek (abfd, loadersec->filepos, SEEK_SET) < 0)
 	goto end;
       if (bfd_bread ((void *) loaderbuf, loaderlen, abfd) != loaderlen)