diff options
author | Alan Modra <amodra@gmail.com> | 2019-10-09 10:47:13 +1030 |
---|---|---|
committer | Alan Modra <amodra@gmail.com> | 2019-10-09 13:28:20 +1030 |
commit | 336bfbeb1848f4b9558456fdcf283ee8a32d7fd1 (patch) | |
tree | 5b58fe6559be5012ef7897a2cc5a4f2bfa9dd81b /bfd/dwarf2.c | |
parent | 41481f9e4e4bd48e533f5731b6abc2730a3d7d81 (diff) | |
download | gdb-336bfbeb1848f4b9558456fdcf283ee8a32d7fd1.zip gdb-336bfbeb1848f4b9558456fdcf283ee8a32d7fd1.tar.gz gdb-336bfbeb1848f4b9558456fdcf283ee8a32d7fd1.tar.bz2 |
PR25070, SEGV in function _bfd_dwarf2_find_nearest_line
Evil testcase with two debug info sections, with sizes of 2aaaabac4ec1
and ffffd5555453b140 result in a total size of 1. Reading the first
section of course overflows the buffer and tramples on other memory.
PR 25070
* dwarf2.c (_bfd_dwarf2_slurp_debug_info): Catch overflow of
total_size calculation.
Diffstat (limited to 'bfd/dwarf2.c')
-rw-r--r-- | bfd/dwarf2.c | 11 |
1 files changed, 10 insertions, 1 deletions
diff --git a/bfd/dwarf2.c b/bfd/dwarf2.c index d39f4fd..88aaa2d 100644 --- a/bfd/dwarf2.c +++ b/bfd/dwarf2.c @@ -4439,7 +4439,16 @@ _bfd_dwarf2_slurp_debug_info (bfd *abfd, bfd *debug_bfd, for (total_size = 0; msec; msec = find_debug_info (debug_bfd, debug_sections, msec)) - total_size += msec->size; + { + /* Catch PR25070 testcase overflowing size calculation here. */ + if (total_size + msec->size < total_size + || total_size + msec->size < msec->size) + { + bfd_set_error (bfd_error_no_memory); + return FALSE; + } + total_size += msec->size; + } stash->info_ptr_memory = (bfd_byte *) bfd_malloc (total_size); if (stash->info_ptr_memory == NULL) |