From mboxrd@z Thu Jan  1 00:00:00 1970
Content-Type: multipart/mixed; boundary="===============6229006901580248525=="
MIME-Version: 1.0
From: Mark Wielaard <mjw@redhat.com>
To: elfutils-devel@lists.fedorahosted.org
Subject: [COMMITTED] readelf: Fix sanity check of DW_FORM_block length in
 print_cfa_program
Date: Tue, 18 Nov 2014 10:04:34 +0100
Message-ID: <1416301474-18089-1-git-send-email-mjw@redhat.com>

--===============6229006901580248525==
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable

We were checking the reg nr, not the length of the block.

Signed-off-by: Mark Wielaard <mjw@redhat.com>
---
 src/readelf.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/readelf.c b/src/readelf.c
index c14bfb6..08de798 100644
--- a/src/readelf.c
+++ b/src/readelf.c
@@ -5025,7 +5025,7 @@ print_cfa_program (const unsigned char *readp, const =
unsigned char *const endp,
 	    get_uleb128 (op2, readp);	/* Length of DW_FORM_block.  */
 	    printf ("     expression r%" PRIu64 " (%s) \n",
 		    op1, regname (op1));
-	    if ((uint64_t) (endp - readp) < op1)
+	    if ((uint64_t) (endp - readp) < op2)
 	      goto invalid;
 	    print_ops (dwflmod, dbg, 10, 10, version, ptr_size, 0, NULL,
 		       op2, readp);
-- =

1.8.3.1


--===============6229006901580248525==--