aboutsummaryrefslogtreecommitdiff
path: root/binutils
diff options
context:
space:
mode:
authorAlan Modra <amodra@gmail.com>2022-12-13 00:27:11 +1030
committerAlan Modra <amodra@gmail.com>2022-12-13 00:36:08 +1030
commitc8628c770bc9055cfd42cfc2e3c416495653f5f8 (patch)
tree3622a34ee311ca4a86d9da1dc13b74ea8a3204e8 /binutils
parent67a8c89601f6e1947484d5de23411634fef92e68 (diff)
downloadbinutils-c8628c770bc9055cfd42cfc2e3c416495653f5f8.zip
binutils-c8628c770bc9055cfd42cfc2e3c416495653f5f8.tar.gz
binutils-c8628c770bc9055cfd42cfc2e3c416495653f5f8.tar.bz2
PR29893, buffer overflow in display_debug_addr
PR 29893 * dwarf.c (display_debug_addr): Sanity check dwarf5 unit_length field. Don't read past end.
Diffstat (limited to 'binutils')
-rw-r--r--binutils/dwarf.c9
1 files changed, 7 insertions, 2 deletions
diff --git a/binutils/dwarf.c b/binutils/dwarf.c
index b303915..c39c695 100644
--- a/binutils/dwarf.c
+++ b/binutils/dwarf.c
@@ -7731,8 +7731,13 @@ display_debug_addr (struct dwarf_section *section,
SAFE_BYTE_GET_AND_INC (length, curr_header, 4, entry);
if (length == 0xffffffff)
SAFE_BYTE_GET_AND_INC (length, curr_header, 8, entry);
+ if (length > (size_t) (section->start + section->size - curr_header))
+ {
+ warn (_("Corrupt %s section: unit_length field of %#" PRIx64
+ " too large\n"), section->name, length);
+ return 0;
+ }
end = curr_header + length;
-
SAFE_BYTE_GET_AND_INC (version, curr_header, 2, entry);
if (version != 5)
warn (_("Corrupt %s section: expecting version number 5 in header but found %d instead\n"),
@@ -7746,7 +7751,7 @@ display_debug_addr (struct dwarf_section *section,
end = section->start + debug_addr_info [i + 1]->addr_base;
header = end;
idx = 0;
- while (entry < end)
+ while ((size_t) (end - entry) >= address_size)
{
uint64_t base = byte_get (entry, address_size);
printf (_("\t%d:\t"), idx);