From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail-pl1-x634.google.com (mail-pl1-x634.google.com [IPv6:2607:f8b0:4864:20::634]) by sourceware.org (Postfix) with ESMTPS id 772F93858D28 for ; Tue, 18 Apr 2023 01:25:11 +0000 (GMT) DMARC-Filter: OpenDMARC Filter v1.4.2 sourceware.org 772F93858D28 Authentication-Results: sourceware.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: sourceware.org; spf=pass smtp.mailfrom=gmail.com Received: by mail-pl1-x634.google.com with SMTP id d9443c01a7336-1a677dffb37so12045995ad.2 for ; Mon, 17 Apr 2023 18:25:11 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20221208; t=1681781110; x=1684373110; h=content-disposition:mime-version:message-id:subject:to:from:date :from:to:cc:subject:date:message-id:reply-to; bh=KNJbkkfXWMtTtrblzS8thESG1DE+BNxCGZjeA1gSUCM=; b=pLmK4RKPt3ZBS2Jy130lYOZawiNEsbTYBZkkPLejMbCcZGI7inrrtpku+7hEo3wbhK vKV2yx1ad52/ZBAtcYFAqu1e9DmhDm+Qb9eaX27oQaiDc7WKdfBLrsMVWkCLQbLcuxln VHo5i04ryxC/ffardGgBsRsVMP69izrNIbtXPKAXXZ14fVA4kl7VzWrjXRLAsfes2gcw PgSA7eI24FspVCYLKOg2iUONfHa4U6JSdxw6GauscZMyO26ohyTJnwOEOxQd0jgU0TsN Szz0u7K1eYMEXUzcm5GZ+m8uHss9W8aRlpdYVZTMPmw29/a3yyl3rlZE3TYfCYrrHPfR tScA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1681781110; x=1684373110; h=content-disposition:mime-version:message-id:subject:to:from:date :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=KNJbkkfXWMtTtrblzS8thESG1DE+BNxCGZjeA1gSUCM=; b=jY5uJ/aJG3LPck6kwYxarKDbueL9PfbUWwaG7Z6YuBAWk4e+XaPX2dDSudmv8Ij3EQ w+Js8UL8i6ZpN2iMd2AVZPCiucBWgj2LTm5G4xmFMRJuWtMnIyYxM1xtPh1fX5GIYcyN MwQZXXi04Gjd/X/DCPkYiadquKonNB86k690PayGUIkv/lx5fwUXJ6iZW3TIyJ+YJX2I wHsQA8zEiJZy6Md8mTSWUkgOCjfQDGaP/OqMve1yRfQhCVTPH1nUR9jMfxGn/4U843yd 9o5BBXglZfJnJrCLhAyCf3pgDDc6Pr8bqzbKORraRoBG/sKJEjuG+8fT6uRVmgR5iipO mqHw== X-Gm-Message-State: AAQBX9d/xZ+gzAo8iK1B3S4PaUd7Nsbwr64F60wDUQQHgwHSfjkibcO9 bPtW/+fep+v3Wewja/sSx4uvnJ9b5ik= X-Google-Smtp-Source: AKy350Ye1cRLZN8Gql9xmd0bwP9D4VmluBqzpZX/+puXyu0MoGl463Hu3U7c13Ib9McHuGHBkCyNUA== X-Received: by 2002:a17:902:d489:b0:1a2:185d:4eef with SMTP id c9-20020a170902d48900b001a2185d4eefmr508819plg.10.1681781109863; Mon, 17 Apr 2023 18:25:09 -0700 (PDT) Received: from squeak.grove.modra.org ([2406:3400:51d:8cc0:c26a:e69d:7ab8:56d6]) by smtp.gmail.com with ESMTPSA id ja13-20020a170902efcd00b0019682e27995sm2620260plb.223.2023.04.17.18.25.08 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 17 Apr 2023 18:25:08 -0700 (PDT) Received: by squeak.grove.modra.org (Postfix, from userid 1000) id A07691142D7F; Tue, 18 Apr 2023 10:55:05 +0930 (ACST) Date: Tue, 18 Apr 2023 10:55:05 +0930 From: Alan Modra To: binutils@sourceware.org Subject: objdump buffer overflow in fetch_indexed_string Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline X-Spam-Status: No, score=-3034.5 required=5.0 tests=BAYES_00,DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,FREEMAIL_FROM,GIT_PATCH_0,RCVD_IN_DNSWL_NONE,SPF_HELO_NONE,SPF_PASS,TXREP,T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on server2.sourceware.org List-Id: PR 30361 * dwarf.c (fetch_indexed_string): Sanity check string index. diff --git a/binutils/dwarf.c b/binutils/dwarf.c index 87ce1541d1c..86893c59dc7 100644 --- a/binutils/dwarf.c +++ b/binutils/dwarf.c @@ -659,14 +659,13 @@ fetch_indexed_string (uint64_t idx, return (dwo ? _("") : _("")); - index_offset = idx * offset_size; - - if (this_set != NULL) - index_offset += this_set->section_offsets [DW_SECT_STR_OFFSETS]; - - index_offset += str_offsets_base; - - if (index_offset + offset_size > index_section->size) + if (_mul_overflow (idx, offset_size, &index_offset) + || (this_set != NULL + && ((index_offset += this_set->section_offsets [DW_SECT_STR_OFFSETS]) + < this_set->section_offsets [DW_SECT_STR_OFFSETS])) + || (index_offset += str_offsets_base) < str_offsets_base + || index_offset + offset_size < offset_size + || index_offset + offset_size > index_section->size) { warn (_("string index of %" PRIu64 " converts to an offset of %#" PRIx64 " which is too big for section %s"), @@ -675,11 +674,6 @@ fetch_indexed_string (uint64_t idx, return _(""); } - /* FIXME: If we are being paranoid then we should also check to see if - IDX references an entry beyond the end of the string table pointed to - by STR_OFFSETS_BASE. (Since there can be more than one string table - in a DWARF string section). */ - str_offset = byte_get (index_section->start + index_offset, offset_size); str_offset -= str_section->address; -- Alan Modra Australia Development Lab, IBM