diff options
author | Alan Modra <amodra@gmail.com> | 2022-12-13 00:27:11 +1030 |
---|---|---|
committer | Alan Modra <amodra@gmail.com> | 2022-12-13 00:36:08 +1030 |
commit | c8628c770bc9055cfd42cfc2e3c416495653f5f8 (patch) | |
tree | 3622a34ee311ca4a86d9da1dc13b74ea8a3204e8 /binutils | |
parent | 67a8c89601f6e1947484d5de23411634fef92e68 (diff) | |
download | binutils-c8628c770bc9055cfd42cfc2e3c416495653f5f8.zip binutils-c8628c770bc9055cfd42cfc2e3c416495653f5f8.tar.gz binutils-c8628c770bc9055cfd42cfc2e3c416495653f5f8.tar.bz2 |
PR29893, buffer overflow in display_debug_addr
PR 29893
* dwarf.c (display_debug_addr): Sanity check dwarf5 unit_length
field. Don't read past end.
Diffstat (limited to 'binutils')
-rw-r--r-- | binutils/dwarf.c | 9 |
1 files changed, 7 insertions, 2 deletions
diff --git a/binutils/dwarf.c b/binutils/dwarf.c index b303915..c39c695 100644 --- a/binutils/dwarf.c +++ b/binutils/dwarf.c @@ -7731,8 +7731,13 @@ display_debug_addr (struct dwarf_section *section, SAFE_BYTE_GET_AND_INC (length, curr_header, 4, entry); if (length == 0xffffffff) SAFE_BYTE_GET_AND_INC (length, curr_header, 8, entry); + if (length > (size_t) (section->start + section->size - curr_header)) + { + warn (_("Corrupt %s section: unit_length field of %#" PRIx64 + " too large\n"), section->name, length); + return 0; + } end = curr_header + length; - SAFE_BYTE_GET_AND_INC (version, curr_header, 2, entry); if (version != 5) warn (_("Corrupt %s section: expecting version number 5 in header but found %d instead\n"), @@ -7746,7 +7751,7 @@ display_debug_addr (struct dwarf_section *section, end = section->start + debug_addr_info [i + 1]->addr_base; header = end; idx = 0; - while (entry < end) + while ((size_t) (end - entry) >= address_size) { uint64_t base = byte_get (entry, address_size); printf (_("\t%d:\t"), idx); |