PR32663, ld buffer overflow reading .debug

public inbox for binutils@sourceware.org
 help / color / mirror / Atom feed

* PR32663, ld buffer overflow reading .debug_info
@ 2025-02-09 10:21 Alan Modra
  0 siblings, 0 replies; only message in thread
From: Alan Modra @ 2025-02-09 10:21 UTC (permalink / raw)
  To: binutils

When reading debug info to print an error message, we'll be reading
the debug info off disk, not using edited debug info.  sec->rawsize
if non-zero is the correct size.

	PR 32663
	* dwarf2.c (_bfd_dwarf2_slurp_debug_info): Use
	bfd_get_section_limit_octets to properly size debug sections.

diff --git a/bfd/dwarf2.c b/bfd/dwarf2.c
index bc17347fbf8..a62c9523743 100644
--- a/bfd/dwarf2.c
+++ b/bfd/dwarf2.c
@@ -5513,7 +5513,7 @@ _bfd_dwarf2_slurp_debug_info (bfd *abfd, bfd *debug_bfd,
   if (! find_debug_info (debug_bfd, debug_sections, msec))
     {
       /* Case 1: only one info section.  */
-      total_size = msec->size;
+      total_size = bfd_get_section_limit_octets (debug_bfd, msec);
       if (! read_section (debug_bfd, &stash->debug_sections[debug_info],
 			  symbols, 0,
 			  &stash->f.dwarf_info_buffer, &total_size))
@@ -5528,13 +5528,14 @@ _bfd_dwarf2_slurp_debug_info (bfd *abfd, bfd *debug_bfd,
 	{
 	  if (bfd_section_size_insane (debug_bfd, msec))
 	    goto restore_vma;
+	  bfd_size_type readsz = bfd_get_section_limit_octets (debug_bfd, msec);
 	  /* Catch PR25070 testcase overflowing size calculation here.  */
-	  if (total_size + msec->size < total_size)
+	  if (total_size + readsz < total_size)
 	    {
 	      bfd_set_error (bfd_error_no_memory);
 	      goto restore_vma;
 	    }
-	  total_size += msec->size;
+	  total_size += readsz;
 	}
 
       stash->f.dwarf_info_buffer = (bfd_byte *) bfd_malloc (total_size);
@@ -5546,10 +5547,8 @@ _bfd_dwarf2_slurp_debug_info (bfd *abfd, bfd *debug_bfd,
 	   msec;
 	   msec = find_debug_info (debug_bfd, debug_sections, msec))
 	{
-	  bfd_size_type size;
-
-	  size = msec->size;
-	  if (size == 0)
+	  bfd_size_type readsz = bfd_get_section_limit_octets (debug_bfd, msec);
+	  if (readsz == 0)
 	    continue;
 
 	  if (!(bfd_simple_get_relocated_section_contents
@@ -5557,7 +5556,7 @@ _bfd_dwarf2_slurp_debug_info (bfd *abfd, bfd *debug_bfd,
 		 symbols)))
 	    goto restore_vma;
 
-	  total_size += size;
+	  total_size += readsz;
 	}
     }
 

-- 
Alan Modra

^ permalink raw reply	[flat|nested] only message in thread

only message in thread, other threads:[~2025-02-09 10:21 UTC | newest]

Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2025-02-09 10:21 PR32663, ld buffer overflow reading .debug_info Alan Modra

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).