diff options
author | Alan Modra <amodra@gmail.com> | 2019-08-19 20:24:35 +0930 |
---|---|---|
committer | Alan Modra <amodra@gmail.com> | 2019-08-19 20:38:59 +0930 |
commit | d292364e95fc9c8230b678d9026f285850074c02 (patch) | |
tree | 5a4c285984e140319dfbc82ad9fa6d468fd0baf9 /binutils/dwarf.c | |
parent | 903b777ddeb4c11a7de12cab59124e777614edec (diff) | |
download | gdb-d292364e95fc9c8230b678d9026f285850074c02.zip gdb-d292364e95fc9c8230b678d9026f285850074c02.tar.gz gdb-d292364e95fc9c8230b678d9026f285850074c02.tar.bz2 |
PR24898, An out-of-bounds read occured in display_data
Given 32-bit pointers and a 64-bit bfd_size_type, it is relatively
easy to construct a value of augmentation_data_len (eg. 0x100000000)
that won't fail pointer checks but will print without bounds.
PR 24898
* dwarf.c (display_debug_frames): Use the read_cie check and error
for augmentation data length.
Diffstat (limited to 'binutils/dwarf.c')
-rw-r--r-- | binutils/dwarf.c | 12 |
1 files changed, 6 insertions, 6 deletions
diff --git a/binutils/dwarf.c b/binutils/dwarf.c index b4738eb..e792a17 100644 --- a/binutils/dwarf.c +++ b/binutils/dwarf.c @@ -7822,18 +7822,18 @@ display_debug_frames (struct dwarf_section *section, { READ_ULEB (augmentation_data_len); augmentation_data = start; - start += augmentation_data_len; /* PR 17512 file: 722-8446-0.004 and PR 22386. */ - if (start >= end - || ((bfd_signed_vma) augmentation_data_len) < 0 - || augmentation_data > start) + if (augmentation_data_len > (bfd_size_type) (end - start)) { - warn (_("Corrupt augmentation data length: 0x%s\n"), - dwarf_vmatoa ("x", augmentation_data_len)); + warn (_("Augmentation data too long: 0x%s, " + "expected at most %#lx\n"), + dwarf_vmatoa ("x", augmentation_data_len), + (unsigned long) (end - start)); start = end; augmentation_data = NULL; augmentation_data_len = 0; } + start += augmentation_data_len; } printf ("\n%08lx %s %s FDE cie=%08lx pc=", |