From 8f461a883bab76c9075ebb1083c9a23af24c201b Mon Sep 17 00:00:00 2001
From: Ian Lance Taylor <iant@golang.org>
Date: Wed, 2 Dec 2020 11:06:40 -0800
Subject: libbacktrace: correct buffer overflow tests

	* dwarf.c (resolve_string): Use > rather than >= to check whether
	string index extends past buffer.
	(resolve_addr_index): Similarly for address index.
---
 libbacktrace/dwarf.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

(limited to 'libbacktrace')

diff --git a/libbacktrace/dwarf.c b/libbacktrace/dwarf.c
index 582f34b..0c913c9 100644
--- a/libbacktrace/dwarf.c
+++ b/libbacktrace/dwarf.c
@@ -1053,7 +1053,7 @@ resolve_string (const struct dwarf_sections *dwarf_sections, int is_dwarf64,
 
 	offset = val->u.uint * (is_dwarf64 ? 8 : 4) + str_offsets_base;
 	if (offset + (is_dwarf64 ? 8 : 4)
-	    >= dwarf_sections->size[DEBUG_STR_OFFSETS])
+	    > dwarf_sections->size[DEBUG_STR_OFFSETS])
 	  {
 	    error_callback (data, "DW_FORM_strx value out of range", 0);
 	    return 0;
@@ -1097,7 +1097,7 @@ resolve_addr_index (const struct dwarf_sections *dwarf_sections,
   struct dwarf_buf addr_buf;
 
   offset = addr_index * addrsize + addr_base;
-  if (offset + addrsize >= dwarf_sections->size[DEBUG_ADDR])
+  if (offset + addrsize > dwarf_sections->size[DEBUG_ADDR])
     {
       error_callback (data, "DW_FORM_addrx value out of range", 0);
       return 0;
-- 
cgit v1.1