* [gold commit] Fix segfault when reading corrupt .debug_pubnames table
@ 2014-06-09 21:53 Cary Coutant
0 siblings, 0 replies; only message in thread
From: Cary Coutant @ 2014-06-09 21:53 UTC (permalink / raw)
To: Binutils
Sometimes, GCC will produce a .debug_pubnames unit_length field that is
too large, and gold will try to read name entries beyond the end of the
section. This patch adds an extra check to prevent that from happening.
-cary
2014-06-09 Cary Coutant <ccoutant@google.com>
gold/
* dwarf_reader.cc (Dwarf_pubnames_table::read_header): Check that
unit_length is within section bounds.
diff --git a/gold/dwarf_reader.cc b/gold/dwarf_reader.cc
index df14bd5..30aea10 100644
--- a/gold/dwarf_reader.cc
+++ b/gold/dwarf_reader.cc
@@ -580,6 +580,12 @@ Dwarf_pubnames_table::read_header(off_t offset)
}
this->end_of_table_ = pinfo + unit_length;
+ // If unit_length is too big, maybe we should reject the whole table,
+ // but in cases we know about, it seems OK to assume that the table
+ // is valid through the actual end of the section.
+ if (this->end_of_table_ > this->buffer_end_)
+ this->end_of_table_ = this->buffer_end_;
+
// Check the version.
unsigned int version = this->dwinfo_->read_from_pointer<16>(pinfo);
pinfo += 2;
^ permalink raw reply [flat|nested] only message in thread
only message in thread, other threads:[~2014-06-09 21:53 UTC | newest]
Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2014-06-09 21:53 [gold commit] Fix segfault when reading corrupt .debug_pubnames table Cary Coutant
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).