diff options
| author | Nick Clifton <nickc@redhat.com> | 2022-01-06 16:37:26 +0000 |
|---|---|---|
| committer | Nick Clifton <nickc@redhat.com> | 2022-01-06 16:37:26 +0000 |
| commit | af4004d1da135610ab931e04a3ba2c9124defbd7 (patch) | |
| tree | 85f7e6dc0afd248d1f0af0b9388835926649d6f7 /binutils | |
| parent | 27297937e0c648cdf115ecbceb4ba25dfefe7492 (diff) | |
| download | fsf-binutils-gdb-af4004d1da135610ab931e04a3ba2c9124defbd7.zip fsf-binutils-gdb-af4004d1da135610ab931e04a3ba2c9124defbd7.tar.gz fsf-binutils-gdb-af4004d1da135610ab931e04a3ba2c9124defbd7.tar.bz2 | |
Fix a stack exhaustion bug parsing malicious STABS format debug information.
PR 28718
* debug.c (debug_write_type): Allow for malicious recursion via
indirect debug types.
Diffstat (limited to 'binutils')
| -rw-r--r-- | binutils/ChangeLog | 6 | ||||
| -rw-r--r-- | binutils/debug.c | 18 |
2 files changed, 22 insertions, 2 deletions
diff --git a/binutils/ChangeLog b/binutils/ChangeLog index 3953e4e..0b34ead 100644 --- a/binutils/ChangeLog +++ b/binutils/ChangeLog @@ -1,3 +1,9 @@ +2022-01-06 Nick Clifton <nickc@redhat.com> + + PR 28718 + * debug.c (debug_write_type): Allow for malicious recursion via + indirect debug types. + 2022-01-04 Nick Clifton <nickc@redhat.com> PR 28716 diff --git a/binutils/debug.c b/binutils/debug.c index 64a0ad2..5866365 100644 --- a/binutils/debug.c +++ b/binutils/debug.c @@ -2484,8 +2484,22 @@ debug_write_type (struct debug_handle *info, debug_error (_("debug_write_type: illegal type encountered")); return false; case DEBUG_KIND_INDIRECT: - return debug_write_type (info, fns, fhandle, *type->u.kindirect->slot, - name); + /* PR 28718: Allow for malicious recursion. */ + { + static int recursion_depth = 0; + bool result; + + if (recursion_depth > 256) + { + debug_error (_("debug_write_type: too many levels of nested indirection")); + return false; + } + ++ recursion_depth; + result = debug_write_type (info, fns, fhandle, *type->u.kindirect->slot, + name); + -- recursion_depth; + return result; + } case DEBUG_KIND_VOID: return (*fns->void_type) (fhandle); case DEBUG_KIND_INT: |