diff options
| author | Alan Modra <amodra@gmail.com> | 2017-09-24 14:36:16 +0930 |
|---|---|---|
| committer | Alan Modra <amodra@gmail.com> | 2017-09-24 16:15:14 +0930 |
| commit | 515f23e63c0074ab531bc954f84ca40c6281a724 (patch) | |
| tree | 266d9172e9797c3b818c1edba524a320d1382178 /bfd/dwarf2.c | |
| parent | 0d76029f92182c3682d8be2c833d45bc9a2068fe (diff) | |
| download | gdb-515f23e63c0074ab531bc954f84ca40c6281a724.zip gdb-515f23e63c0074ab531bc954f84ca40c6281a724.tar.gz gdb-515f23e63c0074ab531bc954f84ca40c6281a724.tar.bz2 | |
PR22169, heap-based buffer overflow in read_1_byte
The .debug_line header length field doesn't include the length field
itself, ie. it's the size of the rest of .debug_line.
PR 22169
* dwarf2.c (decode_line_info): Correct .debug_line unit_length check.
Diffstat (limited to 'bfd/dwarf2.c')
| -rw-r--r-- | bfd/dwarf2.c | 7 |
1 files changed, 4 insertions, 3 deletions
diff --git a/bfd/dwarf2.c b/bfd/dwarf2.c index d1cf1aa..89a3f9b 100644 --- a/bfd/dwarf2.c +++ b/bfd/dwarf2.c @@ -2096,12 +2096,13 @@ decode_line_info (struct comp_unit *unit, struct dwarf2_debug *stash) offset_size = 8; } - if (unit->line_offset + lh.total_length > stash->dwarf_line_size) + if (lh.total_length > (size_t) (line_end - line_ptr)) { _bfd_error_handler /* xgettext: c-format */ - (_("Dwarf Error: Line info data is bigger (%#Lx) than the space remaining in the section (%#Lx)"), - lh.total_length, stash->dwarf_line_size - unit->line_offset); + (_("Dwarf Error: Line info data is bigger (%#Lx)" + " than the space remaining in the section (%#lx)"), + lh.total_length, (unsigned long) (line_end - line_ptr)); bfd_set_error (bfd_error_bad_value); return NULL; } |