This is the mail archive of the
binutils-cvs@sourceware.org
mailing list for the binutils project.
[binutils-gdb/binutils-2_29-branch] Import fix from mainline that fixes buffer overrun errors when parsing corrupt DWARF debug informati
- From: Nick Clifton <nickc at sourceware dot org>
- To: bfd-cvs at sourceware dot org
- Date: 10 Sep 2017 09:27:47 -0000
- Subject: [binutils-gdb/binutils-2_29-branch] Import fix from mainline that fixes buffer overrun errors when parsing corrupt DWARF debug informati
https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=4c730770f07e4b5da5ab0a7654056cc9532b967d
commit 4c730770f07e4b5da5ab0a7654056cc9532b967d
Author: Nick Clifton <nickc@redhat.com>
Date: Sun Sep 10 10:26:33 2017 +0100
Import fix from mainline that fixes buffer overrun errors when parsing corrupt DWARF debug information string sections.
PR 22047
* dwarf2.c (read_section): If necessary add a terminating NUL byte
to dwarf string sections.
Diff:
---
bfd/ChangeLog | 8 ++++++++
bfd/dwarf2.c | 23 +++++++++++++++++++++++
2 files changed, 31 insertions(+)
diff --git a/bfd/ChangeLog b/bfd/ChangeLog
index 708a4bf..ed97efc 100644
--- a/bfd/ChangeLog
+++ b/bfd/ChangeLog
@@ -1,3 +1,11 @@
+2017-09-10 Nick Clifton <nickc@redhat.com>
+
+ Import from mainline:
+
+ PR 22047
+ * dwarf2.c (read_section): If necessary add a terminating NUL byte
+ to dwarf string sections.
+
2017-09-10 Alan Modra <amodra@gmail.com>
* elf64-ppp.c (plt_stub_pad): Handle positive and negative
diff --git a/bfd/dwarf2.c b/bfd/dwarf2.c
index 8779627..3cb2c34 100644
--- a/bfd/dwarf2.c
+++ b/bfd/dwarf2.c
@@ -566,6 +566,29 @@ read_section (bfd * abfd,
0, *section_size))
return FALSE;
}
+
+ /* Paranoia - if we are reading in a string section, make sure that it
+ is NUL terminated. This is to prevent string functions from running
+ off the end of the buffer. Note - knowing the size of the buffer is
+ not enough as some functions, eg strchr, do not have a range limited
+ equivalent.
+
+ FIXME: We ought to use a flag in the dwarf_debug_sections[] table to
+ determine the nature of a debug section, rather than checking the
+ section name as we do here. */
+ if (*section_size > 0
+ && (*section_buffer)[*section_size - 1] != 0
+ && (strstr (section_name, "_str") || strstr (section_name, "names")))
+ {
+ bfd_byte * new_buffer = malloc (*section_size + 1);
+
+ _bfd_error_handler (_("warning: dwarf string section '%s' is not NUL terminated"),
+ section_name);
+ memcpy (new_buffer, *section_buffer, *section_size);
+ new_buffer[*section_size] = 0;
+ free (*section_buffer);
+ *section_buffer = new_buffer;
+ }
}
/* It is possible to get a bad value for the offset into the section