[binutils-gdb] Prevent an infinite loop in the DWARF parsing code when encountering a CU structure with a small neg

[Nick Clifton <nickc at sourceware dot org>]

https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=19485196044b2521af979f1e5c4a89bfb90fba0b

commit 19485196044b2521af979f1e5c4a89bfb90fba0b
Author: Nick Clifton <nickc@redhat.com>
Date:   Wed Sep 27 10:42:51 2017 +0100

    Prevent an infinite loop in the DWARF parsing code when encountering a CU structure with a small negative size.
    
    	PR 22219
    	* dwarf.c (process_debug_info): Add a check for a negative
    	cu_length field.

Diff:
---
 binutils/ChangeLog |  6 ++++++
 binutils/dwarf.c   | 11 ++++++++++-
 2 files changed, 16 insertions(+), 1 deletion(-)

diff --git a/binutils/ChangeLog b/binutils/ChangeLog
index a4de14c..333ad86 100644
--- a/binutils/ChangeLog
+++ b/binutils/ChangeLog
@@ -1,3 +1,9 @@
+2017-09-27  Nick Clifton  <nickc@redhat.com>
+
+	PR 22219
+	* dwarf.c (process_debug_info): Add a check for a negative
+	cu_length field.
+
 2017-09-27  Alan Modra  <amodra@gmail.com>
 
 	PR 22216
diff --git a/binutils/dwarf.c b/binutils/dwarf.c
index edc65aa..7ded1bf 100644
--- a/binutils/dwarf.c
+++ b/binutils/dwarf.c
@@ -2591,7 +2591,7 @@ process_debug_info (struct dwarf_section *section,
       int level, last_level, saved_level;
       dwarf_vma cu_offset;
       unsigned int offset_size;
-      int initial_length_size;
+      unsigned int initial_length_size;
       dwarf_vma signature_high = 0;
       dwarf_vma signature_low = 0;
       dwarf_vma type_offset = 0;
@@ -2739,6 +2739,15 @@ process_debug_info (struct dwarf_section *section,
 	  num_units = unit;
 	  break;
 	}
+      else if (compunit.cu_length + initial_length_size < initial_length_size)
+	{
+	  warn (_("Debug info is corrupted, length of CU at %s is negative (%s)\n"),
+		dwarf_vmatoa ("x", cu_offset),
+		dwarf_vmatoa ("x", compunit.cu_length));
+	  num_units = unit;
+	  break;
+	}
+
       tags = hdrptr;
       start += compunit.cu_length + initial_length_size;