[PATCH] Fix a crash with a malformed PE header

[PATCH] Fix a crash with a malformed PE header

[Jon Turney]

Don't try to read the PE export table when no section contains the RVA
for it.

(I have a PE executable [1] packed with UPX, where the export table data
directory entry contains a RVA which doesn't correspond to any section.
Mistakenly trying to debug this with gdb makes it crash.)

[1] https://cygwin.com/setup/setup-2.898.x86_64.exe

gdb/ChangeLog:

2020-01-02  Jon Turney  <jon.turney@dronecode.org.uk>

	* coff-pe-read.c (read_pe_exported_syms): Don't try to read the
	export table if no section contains it's RVA.
---
 gdb/ChangeLog      | 5 +++++
 gdb/coff-pe-read.c | 6 ++++++
 2 files changed, 11 insertions(+)

diff --git a/gdb/coff-pe-read.c b/gdb/coff-pe-read.c
index b05357bb8b..305900cfa3 100644
--- a/gdb/coff-pe-read.c
+++ b/gdb/coff-pe-read.c
@@ -441,6 +441,12 @@ read_pe_exported_syms (minimal_symbol_reader &reader,
 	}
     }
 
+  if (expptr == 0)
+    {
+      /* no section contains export table rva */
+      return;
+    }
+
   export_rva = export_opthdrrva;
   export_size = export_opthdrsize;
 
-- 
2.21.0

Re: [PATCH] Fix a crash with a malformed PE header

[Eli Zaretskii]

> From: Jon Turney <jon.turney@dronecode.org.uk>
> Cc: Jon Turney <jon.turney@dronecode.org.uk>
> Date: Thu,  2 Jan 2020 12:54:05 +0000
> 
> --- a/gdb/coff-pe-read.c
> +++ b/gdb/coff-pe-read.c
> @@ -441,6 +441,12 @@ read_pe_exported_syms (minimal_symbol_reader &reader,
>  	}
>      }
>  
> +  if (expptr == 0)
> +    {
> +      /* no section contains export table rva */
> +      return;
> +    }
> +

Thanks.  Would it make sense to produce some diagnostic output here,
when an appropriate debug-FOO option is set?

Re: [PATCH] Fix a crash with a malformed PE header

[Jon Turney]

[-- Attachment #1: Type: text/plain, Size: 659 bytes --]

On 02/01/2020 13:56, Eli Zaretskii wrote:
>> From: Jon Turney <jon.turney@dronecode.org.uk>
>> Cc: Jon Turney <jon.turney@dronecode.org.uk>
>> Date: Thu,  2 Jan 2020 12:54:05 +0000
>>
>> --- a/gdb/coff-pe-read.c
>> +++ b/gdb/coff-pe-read.c
>> @@ -441,6 +441,12 @@ read_pe_exported_syms (minimal_symbol_reader &reader,
>>   	}
>>       }
>>   
>> +  if (expptr == 0)
>> +    {
>> +      /* no section contains export table rva */
>> +      return;
>> +    }
>> +
> 
> Thanks.  Would it make sense to produce some diagnostic output here,
> when an appropriate debug-FOO option is set?

Yes, I suppose that's better than just a comment.

How about the attached?

[-- Attachment #2: 0001-Fix-a-crash-with-a-malformed-PE-header.patch --]
[-- Type: text/plain, Size: 1331 bytes --]

From b78ee5736d93d7fa3476a69cc11229c047f477ec Mon Sep 17 00:00:00 2001
From: Jon Turney <jon.turney@dronecode.org.uk>
Date: Thu, 2 Jan 2020 00:25:56 +0000
Subject: [PATCH] Fix a crash with a malformed PE header

Don't try to read the PE export table when no section contains the RVA
for it.

(I have a PE executable [1] packed with UPX, where the export table data
directory entry contains a RVA which doesn't correspond to any section.
Mistakenly trying to debug this with gdb makes it crash.)

[1] https://cygwin.com/setup/setup-2.898.x86_64.exe

2020-01-02  Jon Turney  <jon.turney@dronecode.org.uk>

	* coff-pe-read.c (read_pe_exported_syms): Don't try to read the
	export table if no section contains it's RVA.
---
 gdb/ChangeLog      | 5 +++++
 gdb/coff-pe-read.c | 9 +++++++++
 2 files changed, 14 insertions(+)

diff --git a/gdb/coff-pe-read.c b/gdb/coff-pe-read.c
index b05357bb8b..926db57e58 100644
--- a/gdb/coff-pe-read.c
+++ b/gdb/coff-pe-read.c
@@ -441,6 +441,15 @@ read_pe_exported_syms (minimal_symbol_reader &reader,
 	}
     }
 
+  if (expptr == 0)
+    {
+      if (debug_coff_pe_read)
+	fprintf_unfiltered (gdb_stdlog, _("No section contains export RVA for "
+					  "dll \"%s\"\n"),
+			    dll_name);
+      return;
+    }
+
   export_rva = export_opthdrrva;
   export_size = export_opthdrsize;
 
-- 
2.21.0

Re: [PATCH] Fix a crash with a malformed PE header

[Eli Zaretskii]

> Cc: Eli Zaretskii <eliz@gnu.org>
> From: Jon Turney <jon.turney@dronecode.org.uk>
> Date: Fri, 3 Jan 2020 13:11:24 +0000
> 
> > Thanks.  Would it make sense to produce some diagnostic output here,
> > when an appropriate debug-FOO option is set?
> 
> Yes, I suppose that's better than just a comment.
> 
> How about the attached?

LGTM, but please wait for someone else to approve this formally.

Thanks.

Re: [PATCH] Fix a crash with a malformed PE header

[Tom Tromey]

>>>>> "Jon" == Jon Turney <jon.turney@dronecode.org.uk> writes:

Jon> 2020-01-02  Jon Turney  <jon.turney@dronecode.org.uk>

Jon> 	* coff-pe-read.c (read_pe_exported_syms): Don't try to read the
Jon> 	export table if no section contains it's RVA.

Thanks.  This is ok.

Tom