From 9c0f3d3f2017829ffd908c9893b85094985c3b58 Mon Sep 17 00:00:00 2001
From: Alan Modra <amodra@gmail.com>
Date: Thu, 5 Oct 2017 17:32:18 +1030
Subject: PR22239 - invalid memory read in display_debug_frames

Pointer comparisons have traps for the unwary.  After adding a large
unknown value to "start", the test "start < end" depends on where
"start" is originally in memory.

	PR 22239
	* dwarf.c (read_cie): Don't compare "start" and "end" pointers
	after adding a possibly wild length to "start", compare the length
	to the difference of the pointers instead.  Remove now redundant
	"negative" length test.
---
 binutils/dwarf.c | 15 ++++-----------
 1 file changed, 4 insertions(+), 11 deletions(-)

(limited to 'binutils/dwarf.c')

diff --git a/binutils/dwarf.c b/binutils/dwarf.c
index 7ded1bf..f8c726c 100644
--- a/binutils/dwarf.c
+++ b/binutils/dwarf.c
@@ -7001,14 +7001,14 @@ read_cie (unsigned char *start, unsigned char *end,
     {
       READ_ULEB (augmentation_data_len);
       augmentation_data = start;
-      start += augmentation_data_len;
       /* PR 17512: file: 11042-2589-0.004.  */
-      if (start > end)
+      if (augmentation_data_len > (size_t) (end - start))
 	{
 	  warn (_("Augmentation data too long: %#lx, expected at most %#lx\n"),
-		augmentation_data_len, (long)((end - start) + augmentation_data_len));
+		augmentation_data_len, (unsigned long) (end - start));
 	  return end;
 	}
+      start += augmentation_data_len;
     }
 
   if (augmentation_data_len)
@@ -7021,14 +7021,7 @@ read_cie (unsigned char *start, unsigned char *end,
       q = augmentation_data;
       qend = q + augmentation_data_len;
 
-      /* PR 17531: file: 015adfaa.  */
-      if (qend < q)
-	{
-	  warn (_("Negative augmentation data length: 0x%lx"), augmentation_data_len);
-	  augmentation_data_len = 0;
-	}
-
-      while (p < end && q < augmentation_data + augmentation_data_len)
+      while (p < end && q < qend)
 	{
 	  if (*p == 'L')
 	    q++;
-- 
cgit v1.1