[binutils-gdb] PR22169, heap-based buffer overflow in read_1_byte

[Alan Modra <amodra at sourceware dot org>]

https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=515f23e63c0074ab531bc954f84ca40c6281a724

commit 515f23e63c0074ab531bc954f84ca40c6281a724
Author: Alan Modra <amodra@gmail.com>
Date:   Sun Sep 24 14:36:16 2017 +0930

    PR22169, heap-based buffer overflow in read_1_byte
    
    The .debug_line header length field doesn't include the length field
    itself, ie. it's the size of the rest of .debug_line.
    
    	PR 22169
    	* dwarf2.c (decode_line_info): Correct .debug_line unit_length check.

Diff:
---
 bfd/ChangeLog | 5 +++++
 bfd/dwarf2.c  | 7 ++++---
 2 files changed, 9 insertions(+), 3 deletions(-)

diff --git a/bfd/ChangeLog b/bfd/ChangeLog
index 57f5ad3..f63a8bb 100644
--- a/bfd/ChangeLog
+++ b/bfd/ChangeLog
@@ -1,5 +1,10 @@
 2017-09-24  Alan Modra  <amodra@gmail.com>
 
+	PR 22169
+	* dwarf2.c (decode_line_info): Correct .debug_line unit_length check.
+
+2017-09-24  Alan Modra  <amodra@gmail.com>
+
 	PR 22167
 	* dwarf2.c (scan_unit_for_symbols): Check u.blk->data is non-NULL.
 
diff --git a/bfd/dwarf2.c b/bfd/dwarf2.c
index d1cf1aa..89a3f9b 100644
--- a/bfd/dwarf2.c
+++ b/bfd/dwarf2.c
@@ -2096,12 +2096,13 @@ decode_line_info (struct comp_unit *unit, struct dwarf2_debug *stash)
       offset_size = 8;
     }
 
-  if (unit->line_offset + lh.total_length > stash->dwarf_line_size)
+  if (lh.total_length > (size_t) (line_end - line_ptr))
     {
       _bfd_error_handler
 	/* xgettext: c-format */
-	(_("Dwarf Error: Line info data is bigger (%#Lx) than the space remaining in the section (%#Lx)"),
-	 lh.total_length, stash->dwarf_line_size - unit->line_offset);
+	(_("Dwarf Error: Line info data is bigger (%#Lx)"
+	   " than the space remaining in the section (%#lx)"),
+	 lh.total_length, (unsigned long) (line_end - line_ptr));
       bfd_set_error (bfd_error_bad_value);
       return NULL;
     }