From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <amodra@sourceware.org>
Received: by sourceware.org (Postfix, from userid 1062)
 id E0BE13858D28; Tue, 18 Apr 2023 01:50:12 +0000 (GMT)
DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org E0BE13858D28
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
From: Alan Modra <amodra@sourceware.org>
To: bfd-cvs@sourceware.org
Subject: [binutils-gdb] objdump buffer overflow in fetch_indexed_string
X-Act-Checkin: binutils-gdb
X-Git-Author: Alan Modra <amodra@gmail.com>
X-Git-Refname: refs/heads/master
X-Git-Oldrev: a0fc6845a9506314524f1ad142c529bc3011568b
X-Git-Newrev: 34d63622f677b577b927debb1d6fd2bfef4422bd
Message-Id: <20230418015012.E0BE13858D28@sourceware.org>
Date: Tue, 18 Apr 2023 01:50:12 +0000 (GMT)
X-BeenThere: binutils-cvs@sourceware.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Binutils-cvs mailing list <binutils-cvs.sourceware.org>
List-Unsubscribe: <https://sourceware.org/mailman/options/binutils-cvs>,
 <mailto:binutils-cvs-request@sourceware.org?subject=unsubscribe>
List-Archive: <https://sourceware.org/pipermail/binutils-cvs/>
List-Help: <mailto:binutils-cvs-request@sourceware.org?subject=help>
List-Subscribe: <https://sourceware.org/mailman/listinfo/binutils-cvs>,
 <mailto:binutils-cvs-request@sourceware.org?subject=subscribe>
X-List-Received-Date: Tue, 18 Apr 2023 01:50:13 -0000

https://sourceware.org/git/gitweb.cgi?p=3Dbinutils-gdb.git;h=3D34d63622f677=
b577b927debb1d6fd2bfef4422bd

commit 34d63622f677b577b927debb1d6fd2bfef4422bd
Author: Alan Modra <amodra@gmail.com>
Date:   Tue Apr 18 10:20:08 2023 +0930

    objdump buffer overflow in fetch_indexed_string
   =20
            PR 30361
            * dwarf.c (fetch_indexed_string): Sanity check string index.

Diff:
---
 binutils/dwarf.c | 20 +++++++-------------
 1 file changed, 7 insertions(+), 13 deletions(-)

diff --git a/binutils/dwarf.c b/binutils/dwarf.c
index 87ce1541d1c..86893c59dc7 100644
--- a/binutils/dwarf.c
+++ b/binutils/dwarf.c
@@ -659,14 +659,13 @@ fetch_indexed_string (uint64_t idx,
     return (dwo ? _("<no .debug_str.dwo section>")
 		: _("<no .debug_str section>"));
=20
-  index_offset =3D idx * offset_size;
-
-  if (this_set !=3D NULL)
-    index_offset +=3D this_set->section_offsets [DW_SECT_STR_OFFSETS];
-
-  index_offset +=3D str_offsets_base;
-
-  if (index_offset + offset_size > index_section->size)
+  if (_mul_overflow (idx, offset_size, &index_offset)
+      || (this_set !=3D NULL
+	  && ((index_offset +=3D this_set->section_offsets [DW_SECT_STR_OFFSETS])
+	      < this_set->section_offsets [DW_SECT_STR_OFFSETS]))
+      || (index_offset +=3D str_offsets_base) < str_offsets_base
+      || index_offset + offset_size < offset_size
+      || index_offset + offset_size > index_section->size)
     {
       warn (_("string index of %" PRIu64 " converts to an offset of %#" PR=
Ix64
 	      " which is too big for section %s"),
@@ -675,11 +674,6 @@ fetch_indexed_string (uint64_t idx,
       return _("<string index too big>");
     }
=20
-  /* FIXME: If we are being paranoid then we should also check to see if
-     IDX references an entry beyond the end of the string table pointed to
-     by STR_OFFSETS_BASE.  (Since there can be more than one string table
-     in a DWARF string section).  */
-
   str_offset =3D byte_get (index_section->start + index_offset, offset_siz=
e);
=20
   str_offset -=3D str_section->address;