This is the mail archive of the binutils-cvs@sourceware.org mailing list for the binutils project.

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]
Other format:	[Raw text]

[binutils-gdb] Fix potential integer overflow when reading corrupt dwarf1 debug information.

From: Nick Clifton <nickc at sourceware dot org>
To: bfd-cvs at sourceware dot org
Date: 28 Feb 2018 10:14:37 -0000
Subject: [binutils-gdb] Fix potential integer overflow when reading corrupt dwarf1 debug information.

https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=eef104664efb52965d85a28bc3fc7c77e52e48e2

commit eef104664efb52965d85a28bc3fc7c77e52e48e2
Author: Nick Clifton <nickc@redhat.com>
Date:   Wed Feb 28 10:13:54 2018 +0000

    Fix potential integer overflow when reading corrupt dwarf1 debug information.
    
    	PR 22894
    	* dwarf1.c (parse_die): Check the length of form blocks before
    	advancing the data pointer.

Diff:
---
 bfd/ChangeLog |  6 ++++++
 bfd/dwarf1.c  | 17 +++++++++++++++--
 2 files changed, 21 insertions(+), 2 deletions(-)

diff --git a/bfd/ChangeLog b/bfd/ChangeLog
index 446b978..76a6499 100644
--- a/bfd/ChangeLog
+++ b/bfd/ChangeLog
@@ -1,3 +1,9 @@
+2018-02-28  Nick Clifton  <nickc@redhat.com>
+
+	PR 22894
+	* dwarf1.c (parse_die): Check the length of form blocks before
+	advancing the data pointer.
+
 2018-02-28  Alan Modra  <amodra@gmail.com>
 
 	PR 22887
diff --git a/bfd/dwarf1.c b/bfd/dwarf1.c
index 71bc57b..f272ea8 100644
--- a/bfd/dwarf1.c
+++ b/bfd/dwarf1.c
@@ -213,6 +213,7 @@ parse_die (bfd *	     abfd,
   /* Then the attributes.  */
   while (xptr + 2 <= aDiePtrEnd)
     {
+      unsigned int   block_len;
       unsigned short attr;
 
       /* Parse the attribute based on its form.  This section
@@ -255,12 +256,24 @@ parse_die (bfd *	     abfd,
 	  break;
 	case FORM_BLOCK2:
 	  if (xptr + 2 <= aDiePtrEnd)
-	    xptr += bfd_get_16 (abfd, xptr);
+	    {
+	      block_len = bfd_get_16 (abfd, xptr);
+	      if (xptr + block_len > aDiePtrEnd
+		  || xptr + block_len < xptr)
+		return FALSE;
+	      xptr += block_len;
+	    }
 	  xptr += 2;
 	  break;
 	case FORM_BLOCK4:
 	  if (xptr + 4 <= aDiePtrEnd)
-	    xptr += bfd_get_32 (abfd, xptr);
+	    {
+	      block_len = bfd_get_32 (abfd, xptr);
+	      if (xptr + block_len > aDiePtrEnd
+		  || xptr + block_len < xptr)
+		return FALSE;
+	      xptr += block_len;
+	    }
 	  xptr += 4;
 	  break;
 	case FORM_STRING:

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]