2010-11-19 Will Drewry <wad@google.com>

	    Tavis Ormandy  <taviso@google.com>
	    Jan Kratochvil  <jan.kratochvil@redhat.com>

	* dwarf2read.c (decode_locdesc): Enforce location description stack
	boundaries.

1 files changed, 18 insertions, 2 deletions

diff --git a/gdb/dwarf2read.c b/gdb/dwarf2read.c
index 33ebea8..7ad8037 100644
--- a/gdb/dwarf2read.c
+++ b/gdb/dwarf2read.c
@@ -13279,8 +13279,7 @@ read_signatured_type (struct objfile *objfile,
    callers will only want a very basic result and this can become a
    complaint.
 
-   Note that stack[0] is unused except as a default error return.
-   Note that stack overflow is not yet handled.  */
+   Note that stack[0] is unused except as a default error return.  */
 
 static CORE_ADDR
 decode_locdesc (struct dwarf_block *blk, struct dwarf2_cu *cu)
@@ -13297,6 +13296,7 @@ decode_locdesc (struct dwarf_block *blk, struct dwarf2_cu *cu)
   i = 0;
   stacki = 0;
   stack[stacki] = 0;
+  stack[++stacki] = 0;
 
   while (i < size)
     {
@@ -13478,6 +13478,22 @@ decode_locdesc (struct dwarf_block *blk, struct dwarf2_cu *cu)
 		     dwarf_stack_op_name (op, 1));
 	  return (stack[stacki]);
 	}
+
+      /* Enforce maximum stack depth of SIZE-1 to avoid writing
+         outside of the allocated space.  Also enforce minimum>0.  */
+      if (stacki >= ARRAY_SIZE (stack) - 1)
+	{
+	  complaint (&symfile_complaints,
+		     _("location description stack overflow"));
+	  return 0;
+	}
+
+      if (stacki <= 0)
+	{
+	  complaint (&symfile_complaints,
+		     _("location description stack underflow"));
+	  return 0;
+	}
     }
   return (stack[stacki]);
 }