aboutsummaryrefslogtreecommitdiff
path: root/binutils/dwarf.c
diff options
context:
space:
mode:
authorAlan Modra <amodra@gmail.com>2019-08-19 20:24:35 +0930
committerAlan Modra <amodra@gmail.com>2019-08-19 20:38:59 +0930
commitd292364e95fc9c8230b678d9026f285850074c02 (patch)
tree5a4c285984e140319dfbc82ad9fa6d468fd0baf9 /binutils/dwarf.c
parent903b777ddeb4c11a7de12cab59124e777614edec (diff)
downloadgdb-d292364e95fc9c8230b678d9026f285850074c02.zip
gdb-d292364e95fc9c8230b678d9026f285850074c02.tar.gz
gdb-d292364e95fc9c8230b678d9026f285850074c02.tar.bz2
PR24898, An out-of-bounds read occured in display_data
Given 32-bit pointers and a 64-bit bfd_size_type, it is relatively easy to construct a value of augmentation_data_len (eg. 0x100000000) that won't fail pointer checks but will print without bounds. PR 24898 * dwarf.c (display_debug_frames): Use the read_cie check and error for augmentation data length.
Diffstat (limited to 'binutils/dwarf.c')
-rw-r--r--binutils/dwarf.c12
1 files changed, 6 insertions, 6 deletions
diff --git a/binutils/dwarf.c b/binutils/dwarf.c
index b4738eb..e792a17 100644
--- a/binutils/dwarf.c
+++ b/binutils/dwarf.c
@@ -7822,18 +7822,18 @@ display_debug_frames (struct dwarf_section *section,
{
READ_ULEB (augmentation_data_len);
augmentation_data = start;
- start += augmentation_data_len;
/* PR 17512 file: 722-8446-0.004 and PR 22386. */
- if (start >= end
- || ((bfd_signed_vma) augmentation_data_len) < 0
- || augmentation_data > start)
+ if (augmentation_data_len > (bfd_size_type) (end - start))
{
- warn (_("Corrupt augmentation data length: 0x%s\n"),
- dwarf_vmatoa ("x", augmentation_data_len));
+ warn (_("Augmentation data too long: 0x%s, "
+ "expected at most %#lx\n"),
+ dwarf_vmatoa ("x", augmentation_data_len),
+ (unsigned long) (end - start));
start = end;
augmentation_data = NULL;
augmentation_data_len = 0;
}
+ start += augmentation_data_len;
}
printf ("\n%08lx %s %s FDE cie=%08lx pc=",