From 2d4b49864eba70606b1bee3d0a3e8414189dcd6d Mon Sep 17 00:00:00 2001 From: Alan Modra Date: Mon, 10 May 2021 09:56:43 +0930 Subject: Avoid possible pointer wrap PTR supplied to these macros can be read from user input, END is an end of buffer pointer. It's safer to do arithmetic on END than on PTR. * dwarf.c (SAFE_BYTE_GET): Check bounds by subtracting amount from END rather than adding amount to PTR. (SAFE_SIGNED_BYTE_GET, SAFE_BYTE_GET64): Likewise. --- binutils/ChangeLog | 6 ++++++ binutils/dwarf.c | 6 +++--- 2 files changed, 9 insertions(+), 3 deletions(-) (limited to 'binutils') diff --git a/binutils/ChangeLog b/binutils/ChangeLog index 3026297..ae27252 100644 --- a/binutils/ChangeLog +++ b/binutils/ChangeLog @@ -1,3 +1,9 @@ +2021-05-10 Alan Modra + + * dwarf.c (SAFE_BYTE_GET): Check bounds by subtracting amount from + END rather than adding amount to PTR. + (SAFE_SIGNED_BYTE_GET, SAFE_BYTE_GET64): Likewise. + 2021-05-09 Alan Modra * objcopy.c (eq_string): Delete. diff --git a/binutils/dwarf.c b/binutils/dwarf.c index d93d923..c584f5b 100644 --- a/binutils/dwarf.c +++ b/binutils/dwarf.c @@ -406,7 +406,7 @@ read_leb128 (unsigned char *data, amount, (int) sizeof (VAL)); \ amount = sizeof (VAL); \ } \ - if (((PTR) + amount) >= (END)) \ + if ((PTR) >= (END) - amount) \ { \ if ((PTR) < (END)) \ amount = (END) - (PTR); \ @@ -434,7 +434,7 @@ read_leb128 (unsigned char *data, do \ { \ unsigned int amount = (AMOUNT); \ - if (((PTR) + amount) >= (END)) \ + if ((PTR) >= (END) - amount) \ { \ if ((PTR) < (END)) \ amount = (END) - (PTR); \ @@ -460,7 +460,7 @@ read_leb128 (unsigned char *data, #define SAFE_BYTE_GET64(PTR, HIGH, LOW, END) \ do \ { \ - if (((PTR) + 8) <= (END)) \ + if ((PTR) <= (END) - 8) \ { \ byte_get_64 ((PTR), (HIGH), (LOW)); \ } \ -- cgit v1.1