From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <SRS0=YgJH=4K=gmail.com=amodra@sourceware.org>
Received: from mail-pj1-x1030.google.com (mail-pj1-x1030.google.com [IPv6:2607:f8b0:4864:20::1030])
	by sourceware.org (Postfix) with ESMTPS id C63B4384EF69
	for <binutils@sourceware.org>; Mon, 12 Dec 2022 14:09:47 +0000 (GMT)
DMARC-Filter: OpenDMARC Filter v1.4.1 sourceware.org C63B4384EF69
Authentication-Results: sourceware.org; dmarc=pass (p=none dis=none) header.from=gmail.com
Authentication-Results: sourceware.org; spf=pass smtp.mailfrom=gmail.com
Received: by mail-pj1-x1030.google.com with SMTP id b13-20020a17090a5a0d00b0021906102d05so12335987pjd.5
        for <binutils@sourceware.org>; Mon, 12 Dec 2022 06:09:47 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20210112;
        h=content-disposition:mime-version:message-id:subject:to:from:date
         :from:to:cc:subject:date:message-id:reply-to;
        bh=FXXaHPpWNcUNdi5ZqD1jG+OsvYK8wRbwGmcbEVwA4Mc=;
        b=qAqwSwmyrZYv0VMBZmWdSiGIpOPc9edwboD4sdxbhbNk5SRmQrM8QSsGwGElrUcghJ
         eRBnVefM1xKb1Ghyc+/EE0Kqt2HiYjjFoxvs0avbIu85jaP4AwASpa5oz4t10C7ASw5s
         eXAGuweDaMsm22/09ieMzsno6I4sOH0gHT/4vNkTjGZUKW7mn0ZDrYhts7GaFA7sELyt
         +AEpsPyLO6KpwRN05lb/IAQcU9jOaRJ2CGNC1BguaskTvYBKTH5URRQCOg3FiBjLoBcg
         wYLSkE2k0azuNFBLDaIJOZ8JoS/0eONBtDjNK4bmyPQWEvCQ30uI1MEXDNJuWYgc67Nz
         horA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20210112;
        h=content-disposition:mime-version:message-id:subject:to:from:date
         :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to;
        bh=FXXaHPpWNcUNdi5ZqD1jG+OsvYK8wRbwGmcbEVwA4Mc=;
        b=3s6b7acmWOfupBhsazQhIcvEUJWbGcdzpSgDpVxDPOYkZaD2rcXH7U933U8Vjq1iri
         wKtKRsXko+t7qqRvVPMqWE1iO9zxde4Gl/VFfu8EZyGTF/KuV89oCJ1UpiXv/RDQUaa4
         mygk7eMbw7mogQk6/CY+7Otah3Rg9wboIgd8uTyyGogYoFHozApzTdcXrgn0F5UBCI8z
         iH8othdSaJoy6ebMPV1w3m8O2WFgbZFmMXhfHF9iP1PW9n8nLxPX3W9jqgdV0xmYLFeV
         XxwWMxrnLYfU4J3et4zRih0qPbx5L1eoYME5q2iHgaZRmQxBX/WM6gQpVNFN2F6YENJI
         kkIA==
X-Gm-Message-State: ANoB5pl77KBZ1CMr2zBqtqiJaN5sWMU4nmAXAxlcyvSH2zeFSRyhwGfm
	VqyqJy9jEqOYitfhSPXSpw6pTAm0Kzw=
X-Google-Smtp-Source: AA0mqf6AflkdO4ILr17Nc8ozc6ajzzfB4fqfsbDo2ibD/TMwqcZQMDhnj3OKOlvobhKnuBRRCSWTWQ==
X-Received: by 2002:a17:903:2412:b0:188:82fc:e277 with SMTP id e18-20020a170903241200b0018882fce277mr17296021plo.12.1670854186666;
        Mon, 12 Dec 2022 06:09:46 -0800 (PST)
Received: from squeak.grove.modra.org ([2406:3400:51d:8cc0:df68:d539:4b5b:722a])
        by smtp.gmail.com with ESMTPSA id z12-20020a170903018c00b001891ea4d133sm6419236plg.12.2022.12.12.06.09.45
        for <binutils@sourceware.org>
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Mon, 12 Dec 2022 06:09:46 -0800 (PST)
Received: by squeak.grove.modra.org (Postfix, from userid 1000)
	id 84510114048B; Tue, 13 Dec 2022 00:39:43 +1030 (ACDT)
Date: Tue, 13 Dec 2022 00:39:43 +1030
From: Alan Modra <amodra@gmail.com>
To: binutils@sourceware.org
Subject: PR29893, buffer overflow in display_debug_addr
Message-ID: <Y5c2J0s2fgqvL61d@squeak.grove.modra.org>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
X-Spam-Status: No, score=-3035.3 required=5.0 tests=BAYES_00,DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,FREEMAIL_FROM,GIT_PATCH_0,RCVD_IN_DNSWL_NONE,SPF_HELO_NONE,SPF_PASS,TXREP autolearn=ham autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on server2.sourceware.org
List-Id: <binutils.sourceware.org>

	PR 29893
	* dwarf.c (display_debug_addr): Sanity check dwarf5 unit_length
	field.  Don't read past end.

diff --git a/binutils/dwarf.c b/binutils/dwarf.c
index b3039151ff6..c39c695863a 100644
--- a/binutils/dwarf.c
+++ b/binutils/dwarf.c
@@ -7731,8 +7731,13 @@ display_debug_addr (struct dwarf_section *section,
 	  SAFE_BYTE_GET_AND_INC (length, curr_header, 4, entry);
 	  if (length == 0xffffffff)
 	    SAFE_BYTE_GET_AND_INC (length, curr_header, 8, entry);
+	  if (length > (size_t) (section->start + section->size - curr_header))
+	    {
+	      warn (_("Corrupt %s section: unit_length field of %#" PRIx64
+		      " too large\n"), section->name, length);
+	      return 0;
+	    }
 	  end = curr_header + length;
-
 	  SAFE_BYTE_GET_AND_INC (version, curr_header, 2, entry);
 	  if (version != 5)
 	    warn (_("Corrupt %s section: expecting version number 5 in header but found %d instead\n"),
@@ -7746,7 +7751,7 @@ display_debug_addr (struct dwarf_section *section,
 	end = section->start + debug_addr_info [i + 1]->addr_base;
       header = end;
       idx = 0;
-      while (entry < end)
+      while ((size_t) (end - entry) >= address_size)
 	{
 	  uint64_t base = byte_get (entry, address_size);
 	  printf (_("\t%d:\t"), idx);

-- 
Alan Modra
Australia Development Lab, IBM