Fix an illegal memory access triggered by an attempt to parse a corrupt input file.

PR 28046 * dwarf2.c (read_ranges): Check that range_ptr does not exceed range_end.
author: Nick Clifton <nickc@redhat.com> 2021-07-02 14:56:36 +0100
committer: Nick Clifton <nickc@redhat.com> 2021-07-02 14:56:36 +0100
commit: 49910fd88dcd2ec3d0d9e56120ceb56a6a64b7b8 (patch)
tree: 6669ddf9c3ef564225245f664ebbe3130e9751c2 /bfd/dwarf2.c
parent: 4ff0bb2df5e0ce6dc30b8dd2a0d4174649d0dcfe (diff)
download: gdb-49910fd88dcd2ec3d0d9e56120ceb56a6a64b7b8.zip
gdb-49910fd88dcd2ec3d0d9e56120ceb56a6a64b7b8.tar.gz
gdb-49910fd88dcd2ec3d0d9e56120ceb56a6a64b7b8.tar.bz2
1 files changed, 4 insertions, 1 deletions
diff --git a/bfd/dwarf2.c b/bfd/dwarf2.c
index 79fcd06..1247f95 100644
--- a/bfd/dwarf2.c
+++ b/bfd/dwarf2.c
@@ -909,7 +909,8 @@ read_address (struct comp_unit *unit, bfd_byte **ptr, bfd_byte *buf_end)
   if (bfd_get_flavour (unit->abfd) == bfd_target_elf_flavour)
     signed_vma = get_elf_backend_data (unit->abfd)->sign_extend_vma;
 
-  if (unit->addr_size > (size_t) (buf_end - buf))
+  if (unit->addr_size > (size_t) (buf_end - buf)
+      || (buf > buf_end))
     {
       *ptr = buf_end;
       return 0;
@@ -3097,6 +3098,8 @@ read_ranges (struct comp_unit *unit, struct arange *arange,
   if (ranges_ptr < unit->file->dwarf_ranges_buffer)
     return false;
   ranges_end = unit->file->dwarf_ranges_buffer + unit->file->dwarf_ranges_size;
+  if (ranges_ptr >= ranges_end)
+    return false;
 
   for (;;)
     {
author	Nick Clifton <nickc@redhat.com>	2021-07-02 14:56:36 +0100
committer	Nick Clifton <nickc@redhat.com>	2021-07-02 14:56:36 +0100
commit	49910fd88dcd2ec3d0d9e56120ceb56a6a64b7b8 (patch)
tree	6669ddf9c3ef564225245f664ebbe3130e9751c2 /bfd/dwarf2.c
parent	4ff0bb2df5e0ce6dc30b8dd2a0d4174649d0dcfe (diff)
download	gdb-49910fd88dcd2ec3d0d9e56120ceb56a6a64b7b8.zip gdb-49910fd88dcd2ec3d0d9e56120ceb56a6a64b7b8.tar.gz gdb-49910fd88dcd2ec3d0d9e56120ceb56a6a64b7b8.tar.bz2