aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorAlan Modra <amodra@gmail.com>2019-10-09 10:47:13 +1030
committerAlan Modra <amodra@gmail.com>2019-10-09 13:28:20 +1030
commit336bfbeb1848f4b9558456fdcf283ee8a32d7fd1 (patch)
tree5b58fe6559be5012ef7897a2cc5a4f2bfa9dd81b
parent41481f9e4e4bd48e533f5731b6abc2730a3d7d81 (diff)
downloadgdb-336bfbeb1848f4b9558456fdcf283ee8a32d7fd1.zip
gdb-336bfbeb1848f4b9558456fdcf283ee8a32d7fd1.tar.gz
gdb-336bfbeb1848f4b9558456fdcf283ee8a32d7fd1.tar.bz2
PR25070, SEGV in function _bfd_dwarf2_find_nearest_line
Evil testcase with two debug info sections, with sizes of 2aaaabac4ec1 and ffffd5555453b140 result in a total size of 1. Reading the first section of course overflows the buffer and tramples on other memory. PR 25070 * dwarf2.c (_bfd_dwarf2_slurp_debug_info): Catch overflow of total_size calculation.
-rw-r--r--bfd/ChangeLog6
-rw-r--r--bfd/dwarf2.c11
2 files changed, 16 insertions, 1 deletions
diff --git a/bfd/ChangeLog b/bfd/ChangeLog
index cf5b372..87a6244 100644
--- a/bfd/ChangeLog
+++ b/bfd/ChangeLog
@@ -1,3 +1,9 @@
+2019-10-09 Alan Modra <amodra@gmail.com>
+
+ PR 25070
+ * dwarf2.c (_bfd_dwarf2_slurp_debug_info): Catch overflow of
+ total_size calculation.
+
2019-10-08 Alan Modra <amodra@gmail.com>
PR 25078
diff --git a/bfd/dwarf2.c b/bfd/dwarf2.c
index d39f4fd..88aaa2d 100644
--- a/bfd/dwarf2.c
+++ b/bfd/dwarf2.c
@@ -4439,7 +4439,16 @@ _bfd_dwarf2_slurp_debug_info (bfd *abfd, bfd *debug_bfd,
for (total_size = 0;
msec;
msec = find_debug_info (debug_bfd, debug_sections, msec))
- total_size += msec->size;
+ {
+ /* Catch PR25070 testcase overflowing size calculation here. */
+ if (total_size + msec->size < total_size
+ || total_size + msec->size < msec->size)
+ {
+ bfd_set_error (bfd_error_no_memory);
+ return FALSE;
+ }
+ total_size += msec->size;
+ }
stash->info_ptr_memory = (bfd_byte *) bfd_malloc (total_size);
if (stash->info_ptr_memory == NULL)