Check number of sections overflow

	* elf.c (assign_section_numbers): Check if number of sections
	>= SHN_LORESERVE.
	* elfcode.h (elf_object_p): Likewise.

3 files changed, 16 insertions, 2 deletions

diff --git a/bfd/ChangeLog b/bfd/ChangeLog
index f6d368e3a3..d48c5065a6 100644
--- a/bfd/ChangeLog
+++ b/bfd/ChangeLog
@@ -1,3 +1,9 @@
+2012-07-03  H.J. Lu  <hongjiu.lu@intel.com>
+
+	* elf.c (assign_section_numbers): Check if number of sections
+	>= SHN_LORESERVE.
+	* elfcode.h (elf_object_p): Likewise.
+
 2012-07-03  Nick Clifton  <nickc@redhat.com>
 
 	* archive.c (bsd_write_armap): Catch attempts to create an archive
diff --git a/bfd/elf.c b/bfd/elf.c
index 532c7f99f3..48e5d68341 100644
--- a/bfd/elf.c
+++ b/bfd/elf.c
@@ -3014,6 +3014,13 @@ assign_section_numbers (bfd *abfd, struct bfd_link_info *link_info)
       _bfd_elf_strtab_addref (elf_shstrtab (abfd), t->strtab_hdr.sh_name);
     }
 
+  if (section_number >= SHN_LORESERVE)
+    {
+      _bfd_error_handler (_("%B: too many sections: %u"),
+			  abfd, section_number);
+      return FALSE;
+    }
+
   _bfd_elf_strtab_finalize (elf_shstrtab (abfd));
   t->shstrtab_hdr.sh_size = _bfd_elf_strtab_size (elf_shstrtab (abfd));
 
diff --git a/bfd/elfcode.h b/bfd/elfcode.h
index cc55c866d6..30bda73d86 100644
--- a/bfd/elfcode.h
+++ b/bfd/elfcode.h
@@ -633,8 +633,9 @@ elf_object_p (bfd *abfd)
       if (i_ehdrp->e_shnum == SHN_UNDEF)
 	{
 	  i_ehdrp->e_shnum = i_shdr.sh_size;
-	  if (i_ehdrp->e_shnum != i_shdr.sh_size
-	      || i_ehdrp->e_shnum == 0)
+	  if (i_ehdrp->e_shnum >= SHN_LORESERVE
+	      || i_ehdrp->e_shnum != i_shdr.sh_size
+	      || i_ehdrp->e_shnum  == 0)
 	    goto got_wrong_format_error;
 	}