This is the mail archive of the
elfutils-devel@sourceware.org
mailing list for the elfutils project.
[PATCH] libdw: Fix overflow in read_encoded_value for the DW_EH_PE_indirect case.
- From: Mark Wielaard <mjw at redhat dot com>
- To: elfutils-devel at lists dot fedorahosted dot org
- Date: Wed, 27 May 2015 14:07:17 +0200
- Subject: [PATCH] libdw: Fix overflow in read_encoded_value for the DW_EH_PE_indirect case.
If we are going to dereference a pointer there should be at least enough
data to hold a pointer. Found by afl-fuzz.
Signed-off-by: Mark Wielaard <mjw@redhat.com>
---
libdw/ChangeLog | 5 +++++
libdw/encoded-value.h | 7 ++++---
2 files changed, 9 insertions(+), 3 deletions(-)
diff --git a/libdw/ChangeLog b/libdw/ChangeLog
index 2757093..aa4d09c 100644
--- a/libdw/ChangeLog
+++ b/libdw/ChangeLog
@@ -1,3 +1,8 @@
+2015-05-27 Mark Wielaard <mjw@redhat.com>
+
+ * encoded-value.h (read_encoded_value): Check data d_size contains
+ at least enough data to hold a pointer for DW_EH_PE_indirect.
+
2015-05-22 Mark Wielaard <mjw@redhat.com>
* dwarf_getsrclines.c (read_srclines): Limit stack usage of lines
diff --git a/libdw/encoded-value.h b/libdw/encoded-value.h
index 0fa2018..48d868f 100644
--- a/libdw/encoded-value.h
+++ b/libdw/encoded-value.h
@@ -214,9 +214,10 @@ read_encoded_value (const Dwarf_CFI *cache, uint8_t encoding,
if (unlikely (*result < cache->frame_vaddr))
return true;
*result -= cache->frame_vaddr;
- if (unlikely (*result > (cache->data->d.d_size
- - encoded_value_size (NULL, cache->e_ident,
- DW_EH_PE_absptr, NULL))))
+ size_t ptrsize = encoded_value_size (NULL, cache->e_ident,
+ DW_EH_PE_absptr, NULL);
+ if (unlikely (cache->data->d.d_size < ptrsize
+ || *result > (cache->data->d.d_size - ptrsize)))
return true;
const uint8_t *ptr = cache->data->d.d_buf + *result;
if (unlikely (__libdw_cfi_read_address_inc (cache, &ptr, 0, result)
--
1.8.3.1