diff options
author | Nick Clifton <nickc@redhat.com> | 2017-09-26 12:14:42 +0100 |
---|---|---|
committer | Nick Clifton <nickc@redhat.com> | 2017-09-26 12:14:42 +0100 |
commit | 5c1c468d0eddd0fda1ec8c5f33888657f94e3266 (patch) | |
tree | eb16aa0066df301e6fec7d52360c56f5c4cb5f1e /binutils/dwarf.c | |
parent | 28d810f7ffd7fefd88117e9d830e7588591fd35c (diff) | |
download | gdb-5c1c468d0eddd0fda1ec8c5f33888657f94e3266.zip gdb-5c1c468d0eddd0fda1ec8c5f33888657f94e3266.tar.gz gdb-5c1c468d0eddd0fda1ec8c5f33888657f94e3266.tar.bz2 |
Fix address violations when parsing a corrupt DWARF linenumber table.
PR 22154
* dwarf.c (get_line_filename_and_dirname): Add extra checks for
buffer overruns.
Diffstat (limited to 'binutils/dwarf.c')
-rw-r--r-- | binutils/dwarf.c | 21 |
1 files changed, 16 insertions, 5 deletions
diff --git a/binutils/dwarf.c b/binutils/dwarf.c index d4156e4..edc65aa 100644 --- a/binutils/dwarf.c +++ b/binutils/dwarf.c @@ -4742,13 +4742,21 @@ get_line_filename_and_dirname (dwarf_vma line_offset, return NULL; hdrptr += opcode_base - 1; + if (hdrptr >= end) + return NULL; + dirtable = hdrptr; /* Skip over dirname table. */ while (*hdrptr != '\0') - hdrptr += strnlen ((char *) hdrptr, end - hdrptr) + 1; + { + hdrptr += strnlen ((char *) hdrptr, end - hdrptr) + 1; + if (hdrptr >= end) + return NULL; + } hdrptr++; /* Skip the NUL at the end of the table. */ + /* Now skip over preceding filename table entries. */ - for (; *hdrptr != '\0' && fileidx > 1; fileidx--) + for (; hdrptr < end && *hdrptr != '\0' && fileidx > 1; fileidx--) { hdrptr += strnlen ((char *) hdrptr, end - hdrptr) + 1; read_uleb128 (hdrptr, &bytes_read, end); @@ -4758,16 +4766,19 @@ get_line_filename_and_dirname (dwarf_vma line_offset, read_uleb128 (hdrptr, &bytes_read, end); hdrptr += bytes_read; } - if (hdrptr == end || *hdrptr == '\0') + if (hdrptr >= end || *hdrptr == '\0') return NULL; + file_name = hdrptr; hdrptr += strnlen ((char *) hdrptr, end - hdrptr) + 1; + if (hdrptr >= end) + return NULL; diridx = read_uleb128 (hdrptr, &bytes_read, end); if (diridx == 0) return file_name; - for (; *dirtable != '\0' && diridx > 1; diridx--) + for (; dirtable < end && *dirtable != '\0' && diridx > 1; diridx--) dirtable += strnlen ((char *) dirtable, end - dirtable) + 1; - if (*dirtable == '\0') + if (dirtable >= end || *dirtable == '\0') return NULL; *dir_name = dirtable; return file_name; |