PR27836, readelf -w pointer comparison UB

	PR 27836
	* dwarf.c (display_debug_frames): Don't compare pointers derived
	from user input.  Test offset against bounds instead.

2 files changed, 12 insertions, 4 deletions

diff --git a/binutils/ChangeLog b/binutils/ChangeLog
index be50b31..aef73a5 100644
--- a/binutils/ChangeLog
+++ b/binutils/ChangeLog
@@ -1,5 +1,11 @@
 2021-05-12  Alan Modra  <amodra@gmail.com>
 
+	PR 27836
+	* dwarf.c (display_debug_frames): Don't compare pointers derived
+	from user input.  Test offset against bounds instead.
+
+2021-05-12  Alan Modra  <amodra@gmail.com>
+
 	PR 27853
 	* dwarf.c (display_formatted_table): Test for data >= end rather
 	than data == end.
diff --git a/binutils/dwarf.c b/binutils/dwarf.c
index 896035c..51c0afc 100644
--- a/binutils/dwarf.c
+++ b/binutils/dwarf.c
@@ -8810,16 +8810,18 @@ display_debug_frames (struct dwarf_section *section,
 	{
 	  unsigned char *look_for;
 	  unsigned long segment_selector;
+	  dwarf_vma cie_off;
 
+	  cie_off = cie_id;
 	  if (is_eh)
 	    {
 	      dwarf_vma sign = (dwarf_vma) 1 << (offset_size * 8 - 1);
-	      look_for = start - 4 - ((cie_id ^ sign) - sign);
+	      cie_off = (cie_off ^ sign) - sign;
+	      cie_off = start - 4 - section_start - cie_off;
 	    }
-	  else
-	    look_for = section_start + cie_id;
 
-	  if (look_for <= saved_start)
+	  look_for = section_start + cie_off;
+	  if (cie_off <= (dwarf_vma) (saved_start - section_start))
 	    {
 	      for (cie = chunks; cie ; cie = cie->next)
 		if (cie->chunk_start == look_for)