diff options
| author | Alan Modra <amodra@gmail.com> | 2021-05-15 15:37:07 +0930 |
|---|---|---|
| committer | Alan Modra <amodra@gmail.com> | 2021-05-15 15:38:58 +0930 |
| commit | bb19bf12693b2790ab92a1291279269ab8712168 (patch) | |
| tree | 3e04cb3a5c9b1b3629a7bee054a48deea1ff3644 /binutils | |
| parent | d7870f6304cc62bd3a30ebc9c98dceff2bb50fbb (diff) | |
| download | gdb-bb19bf12693b2790ab92a1291279269ab8712168.zip gdb-bb19bf12693b2790ab92a1291279269ab8712168.tar.gz gdb-bb19bf12693b2790ab92a1291279269ab8712168.tar.bz2 | |
display_gdb_index
* dwarf.c (display_gdb_index): Avoid pointer UB and overflow in
length calculations.
Diffstat (limited to 'binutils')
| -rw-r--r-- | binutils/ChangeLog | 5 | ||||
| -rw-r--r-- | binutils/dwarf.c | 18 |
2 files changed, 12 insertions, 11 deletions
diff --git a/binutils/ChangeLog b/binutils/ChangeLog index d3c6a39..ec8a643 100644 --- a/binutils/ChangeLog +++ b/binutils/ChangeLog @@ -1,5 +1,10 @@ 2021-05-15 Alan Modra <amodra@gmail.com> + * dwarf.c (display_gdb_index): Avoid pointer UB and overflow in + length calculations. + +2021-05-15 Alan Modra <amodra@gmail.com> + * dwarf.c (display_debug_names): Complain when header length is too small. Avoid pointer UB. Sanity check augmentation string, CU table, TU table and foreign TU table sizes. diff --git a/binutils/dwarf.c b/binutils/dwarf.c index d06dd4b..db02be7 100644 --- a/binutils/dwarf.c +++ b/binutils/dwarf.c @@ -10105,7 +10105,7 @@ display_gdb_index (struct dwarf_section *section, symbol_table = start + symbol_table_offset; constant_pool = start + constant_pool_offset; - if (address_table + address_table_size > section->start + section->size) + if (address_table_offset + address_table_size > section->size) { warn (_("Address table extends beyond end of section.\n")); return 0; @@ -10160,11 +10160,9 @@ display_gdb_index (struct dwarf_section *section, || cu_vector_offset != 0) { unsigned int j; - unsigned char * adr; - adr = constant_pool + name_offset; /* PR 17531: file: 5b7b07ad. */ - if (adr < constant_pool || adr >= section->start + section->size) + if (name_offset >= section->size - constant_pool_offset) { printf (_("[%3u] <corrupt offset: %x>"), i, name_offset); warn (_("Corrupt name offset of 0x%x found for symbol table slot %d\n"), @@ -10175,8 +10173,8 @@ display_gdb_index (struct dwarf_section *section, (int) (section->size - (constant_pool_offset + name_offset)), constant_pool + name_offset); - adr = constant_pool + cu_vector_offset; - if (adr < constant_pool || adr >= section->start + section->size - 3) + if (section->size - constant_pool_offset < 4 + || cu_vector_offset > section->size - constant_pool_offset - 4) { printf (_("<invalid CU vector offset: %x>\n"), cu_vector_offset); warn (_("Corrupt CU vector offset of 0x%x found for symbol table slot %d\n"), @@ -10184,12 +10182,10 @@ display_gdb_index (struct dwarf_section *section, continue; } - num_cus = byte_get_little_endian (adr, 4); + num_cus = byte_get_little_endian (constant_pool + cu_vector_offset, 4); - adr = constant_pool + cu_vector_offset + 4 + num_cus * 4; - if (num_cus * 4 < num_cus - || adr >= section->start + section->size - || adr < constant_pool) + if ((uint64_t) num_cus * 4 > section->size - (constant_pool_offset + + cu_vector_offset + 4)) { printf ("<invalid number of CUs: %d>\n", num_cus); warn (_("Invalid number of CUs (0x%x) for symbol table slot %d\n"), |