From fa501b69309ccb03ec957101f24109ed7f737733 Mon Sep 17 00:00:00 2001
From: Nick Clifton <nickc@redhat.com>
Date: Fri, 16 Dec 2022 12:06:43 +0000
Subject: Fix a potential illegal memory access when parsing corrupt DWARF
 information.

	PR 29908
	* dwarf.c (display_debug_addr): Check for corrupt header lengths.
---
 binutils/ChangeLog |  5 +++++
 binutils/dwarf.c   | 21 ++++++++++++++++++++-
 2 files changed, 25 insertions(+), 1 deletion(-)

(limited to 'binutils')

diff --git a/binutils/ChangeLog b/binutils/ChangeLog
index 6ec81eb..16bddf7 100644
--- a/binutils/ChangeLog
+++ b/binutils/ChangeLog
@@ -1,3 +1,8 @@
+2022-12-16  Nick Clifton  <nickc@redhat.com>
+
+	PR 29908
+	* dwarf.c (display_debug_addr): Check for corrupt header lengths.
+
 2022-12-01  Nick Clifton  <nickc@redhat.com>
 
 	PR 25202
diff --git a/binutils/dwarf.c b/binutils/dwarf.c
index 33ee41c..533f118 100644
--- a/binutils/dwarf.c
+++ b/binutils/dwarf.c
@@ -7738,6 +7738,12 @@ display_debug_addr (struct dwarf_section *section,
 	      return 0;
 	    }
 	  end = curr_header + length;
+	  if (end < entry)
+	    {
+	      warn (_("Corrupt %s section header: length field (%lx) is too small\n"),
+		    section->name, length);
+	      return 0;
+	    }
 	  SAFE_BYTE_GET_AND_INC (version, curr_header, 2, entry);
 	  if (version != 5)
 	    warn (_("Corrupt %s section: expecting version number 5 in header but found %d instead\n"),
@@ -7748,9 +7754,22 @@ display_debug_addr (struct dwarf_section *section,
 	  address_size += segment_selector_size;
 	}
       else
-	end = section->start + debug_addr_info [i + 1]->addr_base;
+	{
+	  end = section->start + debug_addr_info [i + 1]->addr_base;
+
+	  if (end < entry)
+	    {
+	      warn (_("Corrupt %s section: address base of entry %u (%lx) is less than entry %u (%lx)\n"),
+		    section->name,
+		    i, debug_addr_info [i]->addr_base,
+		    i + 1, debug_addr_info [i + 1]->addr_base);
+	      return 0;
+	    }
+	}
+
       header = end;
       idx = 0;
+
       while ((size_t) (end - entry) >= address_size)
 	{
 	  uint64_t base = byte_get (entry, address_size);
-- 
cgit v1.1