From af4004d1da135610ab931e04a3ba2c9124defbd7 Mon Sep 17 00:00:00 2001 From: Nick Clifton Date: Thu, 6 Jan 2022 16:37:26 +0000 Subject: Fix a stack exhaustion bug parsing malicious STABS format debug information. PR 28718 * debug.c (debug_write_type): Allow for malicious recursion via indirect debug types. --- binutils/ChangeLog | 6 ++++++ binutils/debug.c | 18 ++++++++++++++++-- 2 files changed, 22 insertions(+), 2 deletions(-) (limited to 'binutils') diff --git a/binutils/ChangeLog b/binutils/ChangeLog index 3953e4e..0b34ead 100644 --- a/binutils/ChangeLog +++ b/binutils/ChangeLog @@ -1,3 +1,9 @@ +2022-01-06 Nick Clifton + + PR 28718 + * debug.c (debug_write_type): Allow for malicious recursion via + indirect debug types. + 2022-01-04 Nick Clifton PR 28716 diff --git a/binutils/debug.c b/binutils/debug.c index 64a0ad2..5866365 100644 --- a/binutils/debug.c +++ b/binutils/debug.c @@ -2484,8 +2484,22 @@ debug_write_type (struct debug_handle *info, debug_error (_("debug_write_type: illegal type encountered")); return false; case DEBUG_KIND_INDIRECT: - return debug_write_type (info, fns, fhandle, *type->u.kindirect->slot, - name); + /* PR 28718: Allow for malicious recursion. */ + { + static int recursion_depth = 0; + bool result; + + if (recursion_depth > 256) + { + debug_error (_("debug_write_type: too many levels of nested indirection")); + return false; + } + ++ recursion_depth; + result = debug_write_type (info, fns, fhandle, *type->u.kindirect->slot, + name); + -- recursion_depth; + return result; + } case DEBUG_KIND_VOID: return (*fns->void_type) (fhandle); case DEBUG_KIND_INT: -- cgit v1.1