diff options
| author | Nick Clifton <nickc@redhat.com> | 2018-02-28 10:13:54 +0000 |
|---|---|---|
| committer | Nick Clifton <nickc@redhat.com> | 2018-02-28 10:13:54 +0000 |
| commit | eef104664efb52965d85a28bc3fc7c77e52e48e2 (patch) | |
| tree | 246492648baf81e83d839460480c0c10f05e3898 /bfd/dwarf1.c | |
| parent | 0d329c0a83a23cebb86fbe0ebddd780dc0df2424 (diff) | |
| download | gdb-eef104664efb52965d85a28bc3fc7c77e52e48e2.zip gdb-eef104664efb52965d85a28bc3fc7c77e52e48e2.tar.gz gdb-eef104664efb52965d85a28bc3fc7c77e52e48e2.tar.bz2 | |
Fix potential integer overflow when reading corrupt dwarf1 debug information.
PR 22894
* dwarf1.c (parse_die): Check the length of form blocks before
advancing the data pointer.
Diffstat (limited to 'bfd/dwarf1.c')
| -rw-r--r-- | bfd/dwarf1.c | 17 |
1 files changed, 15 insertions, 2 deletions
diff --git a/bfd/dwarf1.c b/bfd/dwarf1.c index 71bc57b..f272ea8 100644 --- a/bfd/dwarf1.c +++ b/bfd/dwarf1.c @@ -213,6 +213,7 @@ parse_die (bfd * abfd, /* Then the attributes. */ while (xptr + 2 <= aDiePtrEnd) { + unsigned int block_len; unsigned short attr; /* Parse the attribute based on its form. This section @@ -255,12 +256,24 @@ parse_die (bfd * abfd, break; case FORM_BLOCK2: if (xptr + 2 <= aDiePtrEnd) - xptr += bfd_get_16 (abfd, xptr); + { + block_len = bfd_get_16 (abfd, xptr); + if (xptr + block_len > aDiePtrEnd + || xptr + block_len < xptr) + return FALSE; + xptr += block_len; + } xptr += 2; break; case FORM_BLOCK4: if (xptr + 4 <= aDiePtrEnd) - xptr += bfd_get_32 (abfd, xptr); + { + block_len = bfd_get_32 (abfd, xptr); + if (xptr + block_len > aDiePtrEnd + || xptr + block_len < xptr) + return FALSE; + xptr += block_len; + } xptr += 4; break; case FORM_STRING: |