diff options
author | Nick Clifton <nickc@redhat.com> | 2022-12-16 12:06:43 +0000 |
---|---|---|
committer | Nick Clifton <nickc@redhat.com> | 2022-12-16 12:06:43 +0000 |
commit | fa501b69309ccb03ec957101f24109ed7f737733 (patch) | |
tree | d75b92ca32ca7360c3c5f267e359480b4fd69ff6 /binutils | |
parent | 429f0cd1396203204754141681b1bc65bd3f5259 (diff) | |
download | binutils-fa501b69309ccb03ec957101f24109ed7f737733.zip binutils-fa501b69309ccb03ec957101f24109ed7f737733.tar.gz binutils-fa501b69309ccb03ec957101f24109ed7f737733.tar.bz2 |
Fix a potential illegal memory access when parsing corrupt DWARF information.
PR 29908
* dwarf.c (display_debug_addr): Check for corrupt header lengths.
Diffstat (limited to 'binutils')
-rw-r--r-- | binutils/ChangeLog | 5 | ||||
-rw-r--r-- | binutils/dwarf.c | 21 |
2 files changed, 25 insertions, 1 deletions
diff --git a/binutils/ChangeLog b/binutils/ChangeLog index 6ec81eb..16bddf7 100644 --- a/binutils/ChangeLog +++ b/binutils/ChangeLog @@ -1,3 +1,8 @@ +2022-12-16 Nick Clifton <nickc@redhat.com> + + PR 29908 + * dwarf.c (display_debug_addr): Check for corrupt header lengths. + 2022-12-01 Nick Clifton <nickc@redhat.com> PR 25202 diff --git a/binutils/dwarf.c b/binutils/dwarf.c index 33ee41c..533f118 100644 --- a/binutils/dwarf.c +++ b/binutils/dwarf.c @@ -7738,6 +7738,12 @@ display_debug_addr (struct dwarf_section *section, return 0; } end = curr_header + length; + if (end < entry) + { + warn (_("Corrupt %s section header: length field (%lx) is too small\n"), + section->name, length); + return 0; + } SAFE_BYTE_GET_AND_INC (version, curr_header, 2, entry); if (version != 5) warn (_("Corrupt %s section: expecting version number 5 in header but found %d instead\n"), @@ -7748,9 +7754,22 @@ display_debug_addr (struct dwarf_section *section, address_size += segment_selector_size; } else - end = section->start + debug_addr_info [i + 1]->addr_base; + { + end = section->start + debug_addr_info [i + 1]->addr_base; + + if (end < entry) + { + warn (_("Corrupt %s section: address base of entry %u (%lx) is less than entry %u (%lx)\n"), + section->name, + i, debug_addr_info [i]->addr_base, + i + 1, debug_addr_info [i + 1]->addr_base); + return 0; + } + } + header = end; idx = 0; + while ((size_t) (end - entry) >= address_size) { uint64_t base = byte_get (entry, address_size); |