aboutsummaryrefslogtreecommitdiff
path: root/binutils
diff options
context:
space:
mode:
authorNick Clifton <nickc@redhat.com>2015-02-13 14:17:18 +0000
committerNick Clifton <nickc@redhat.com>2015-02-13 14:17:18 +0000
commitffc0f143c74a7d49f6d1ae3f835e404ef4e56772 (patch)
tree3d16ae7b357dfb1ca9535190c3973febc9b5067c /binutils
parent951eaaec17411eba4debe19781f6b8b54306256e (diff)
downloadgdb-ffc0f143c74a7d49f6d1ae3f835e404ef4e56772.zip
gdb-ffc0f143c74a7d49f6d1ae3f835e404ef4e56772.tar.gz
gdb-ffc0f143c74a7d49f6d1ae3f835e404ef4e56772.tar.bz2
Fixes for memory access violations triggered by running readelf on fuzzed binaries.
PR binutils/17531 * dwarf.c (display_debug_aranges): Add check for an excessive ar_length value. (process_cu_tu_index): Check for a row * columns sum being too large.
Diffstat (limited to 'binutils')
-rw-r--r--binutils/ChangeLog6
-rw-r--r--binutils/dwarf.c17
2 files changed, 21 insertions, 2 deletions
diff --git a/binutils/ChangeLog b/binutils/ChangeLog
index 4325f3a..4f45265 100644
--- a/binutils/ChangeLog
+++ b/binutils/ChangeLog
@@ -8,6 +8,12 @@
available before parsing.
(prescan): Likewise.
+ PR binutils/17531
+ * dwarf.c (display_debug_aranges): Add check for an excessive
+ ar_length value.
+ (process_cu_tu_index): Check for a row * columns sum being too
+ large.
+
2015-02-13 Alan Modra <amodra@gmail.com>
* dwarf.c: Formatting, whitespace.
diff --git a/binutils/dwarf.c b/binutils/dwarf.c
index 936f634..272b41f 100644
--- a/binutils/dwarf.c
+++ b/binutils/dwarf.c
@@ -4923,7 +4923,13 @@ display_debug_aranges (struct dwarf_section *section,
if (excess)
addr_ranges += (2 * address_size) - excess;
- start += arange.ar_length + initial_length_size;
+ hdrptr = start + arange.ar_length + initial_length_size;
+ if (hdrptr < start || hdrptr > end)
+ {
+ error (_("Excessive header length: %lx\n"), (long) arange.ar_length);
+ break;
+ }
+ start = hdrptr;
while (addr_ranges + 2 * address_size <= start)
{
@@ -7084,7 +7090,14 @@ process_cu_tu_index (struct dwarf_section *section, int do_display)
memcpy (&this_set[row - 1].signature, ph, sizeof (uint64_t));
prow = poffsets + (row - 1) * ncols * 4;
-
+ /* PR 17531: file: b8ce60a8. */
+ if (prow < poffsets || prow > limit)
+ {
+ warn (_("Row index (%u) * num columns (%u) > space remaining in section\n"),
+ row, ncols);
+ return 0;
+ }
+
if (do_display)
printf (_(" [%3d] 0x%s"),
i, dwarf_vmatoa64 (signature_high, signature_low,