diff options
author | Nick Clifton <nickc@redhat.com> | 2015-02-13 14:17:18 +0000 |
---|---|---|
committer | Nick Clifton <nickc@redhat.com> | 2015-02-13 14:17:18 +0000 |
commit | ffc0f143c74a7d49f6d1ae3f835e404ef4e56772 (patch) | |
tree | 3d16ae7b357dfb1ca9535190c3973febc9b5067c /binutils | |
parent | 951eaaec17411eba4debe19781f6b8b54306256e (diff) | |
download | gdb-ffc0f143c74a7d49f6d1ae3f835e404ef4e56772.zip gdb-ffc0f143c74a7d49f6d1ae3f835e404ef4e56772.tar.gz gdb-ffc0f143c74a7d49f6d1ae3f835e404ef4e56772.tar.bz2 |
Fixes for memory access violations triggered by running readelf on fuzzed binaries.
PR binutils/17531
* dwarf.c (display_debug_aranges): Add check for an excessive
ar_length value.
(process_cu_tu_index): Check for a row * columns sum being too
large.
Diffstat (limited to 'binutils')
-rw-r--r-- | binutils/ChangeLog | 6 | ||||
-rw-r--r-- | binutils/dwarf.c | 17 |
2 files changed, 21 insertions, 2 deletions
diff --git a/binutils/ChangeLog b/binutils/ChangeLog index 4325f3a..4f45265 100644 --- a/binutils/ChangeLog +++ b/binutils/ChangeLog @@ -8,6 +8,12 @@ available before parsing. (prescan): Likewise. + PR binutils/17531 + * dwarf.c (display_debug_aranges): Add check for an excessive + ar_length value. + (process_cu_tu_index): Check for a row * columns sum being too + large. + 2015-02-13 Alan Modra <amodra@gmail.com> * dwarf.c: Formatting, whitespace. diff --git a/binutils/dwarf.c b/binutils/dwarf.c index 936f634..272b41f 100644 --- a/binutils/dwarf.c +++ b/binutils/dwarf.c @@ -4923,7 +4923,13 @@ display_debug_aranges (struct dwarf_section *section, if (excess) addr_ranges += (2 * address_size) - excess; - start += arange.ar_length + initial_length_size; + hdrptr = start + arange.ar_length + initial_length_size; + if (hdrptr < start || hdrptr > end) + { + error (_("Excessive header length: %lx\n"), (long) arange.ar_length); + break; + } + start = hdrptr; while (addr_ranges + 2 * address_size <= start) { @@ -7084,7 +7090,14 @@ process_cu_tu_index (struct dwarf_section *section, int do_display) memcpy (&this_set[row - 1].signature, ph, sizeof (uint64_t)); prow = poffsets + (row - 1) * ncols * 4; - + /* PR 17531: file: b8ce60a8. */ + if (prow < poffsets || prow > limit) + { + warn (_("Row index (%u) * num columns (%u) > space remaining in section\n"), + row, ncols); + return 0; + } + if (do_display) printf (_(" [%3d] 0x%s"), i, dwarf_vmatoa64 (signature_high, signature_low, |