* PR29893, buffer overflow in display_debug_addr
@ 2022-12-12 14:09 Alan Modra
0 siblings, 0 replies; only message in thread
From: Alan Modra @ 2022-12-12 14:09 UTC (permalink / raw)
To: binutils
PR 29893
* dwarf.c (display_debug_addr): Sanity check dwarf5 unit_length
field. Don't read past end.
diff --git a/binutils/dwarf.c b/binutils/dwarf.c
index b3039151ff6..c39c695863a 100644
--- a/binutils/dwarf.c
+++ b/binutils/dwarf.c
@@ -7731,8 +7731,13 @@ display_debug_addr (struct dwarf_section *section,
SAFE_BYTE_GET_AND_INC (length, curr_header, 4, entry);
if (length == 0xffffffff)
SAFE_BYTE_GET_AND_INC (length, curr_header, 8, entry);
+ if (length > (size_t) (section->start + section->size - curr_header))
+ {
+ warn (_("Corrupt %s section: unit_length field of %#" PRIx64
+ " too large\n"), section->name, length);
+ return 0;
+ }
end = curr_header + length;
-
SAFE_BYTE_GET_AND_INC (version, curr_header, 2, entry);
if (version != 5)
warn (_("Corrupt %s section: expecting version number 5 in header but found %d instead\n"),
@@ -7746,7 +7751,7 @@ display_debug_addr (struct dwarf_section *section,
end = section->start + debug_addr_info [i + 1]->addr_base;
header = end;
idx = 0;
- while (entry < end)
+ while ((size_t) (end - entry) >= address_size)
{
uint64_t base = byte_get (entry, address_size);
printf (_("\t%d:\t"), idx);
--
Alan Modra
Australia Development Lab, IBM
^ permalink raw reply [flat|nested] only message in thread
only message in thread, other threads:[~2022-12-12 14:09 UTC | newest]
Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2022-12-12 14:09 PR29893, buffer overflow in display_debug_addr Alan Modra
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).