[PATCH] readelf, libdw: Correct .debug_line overflow check for unit

public inbox for elfutils@sourceware.org
 help / color / mirror / Atom feed

* [PATCH] readelf, libdw: Correct .debug_line overflow check for unit_length.
@ 2014-12-16 15:12 Mark Wielaard
  0 siblings, 0 replies; only message in thread
From: Mark Wielaard @ 2014-12-16 15:12 UTC (permalink / raw)
  To: elfutils-devel

[-- Attachment #1: Type: text/plain, Size: 2250 bytes --]

Signed-off-by: Mark Wielaard <mjw@redhat.com>
---
 libdw/ChangeLog           | 5 +++--
 libdw/dwarf_getsrclines.c | 4 ++--
 src/ChangeLog             | 5 +++++
 src/readelf.c             | 4 ++--
 4 files changed, 12 insertions(+), 6 deletions(-)

diff --git a/libdw/ChangeLog b/libdw/ChangeLog
index 757fb23..0592220 100644
--- a/libdw/ChangeLog
+++ b/libdw/ChangeLog
@@ -1,6 +1,7 @@
-2014-12-15  Mark Wielaard  <mjw@redhat.com>
+2014-12-16  Mark Wielaard  <mjw@redhat.com>
 
-2014-12-15  Mark Wielaard  <mjw@redhat.com>
+	* dwarf_getsrclines.c (read_srclines): Correct overflow check for
+	unit_length.
 
 2014-12-15  Mark Wielaard  <mjw@redhat.com>
 
diff --git a/libdw/dwarf_getsrclines.c b/libdw/dwarf_getsrclines.c
index d50a17d..d477944 100644
--- a/libdw/dwarf_getsrclines.c
+++ b/libdw/dwarf_getsrclines.c
@@ -113,8 +113,8 @@ read_srclines (Dwarf *dbg,
     }
 
   /* Check whether we have enough room in the section.  */
-  if (unit_length < 2 + length + 5 * 1
-      || unlikely (linep + unit_length > lineendp))
+  if (unlikely (unit_length > (size_t) (lineendp - linep)
+      || unit_length < 2 + length + 5 * 1))
     goto invalid_data;
   lineendp = linep + unit_length;
 
diff --git a/src/ChangeLog b/src/ChangeLog
index 1ca1540..1dc1957 100644
--- a/src/ChangeLog
+++ b/src/ChangeLog
@@ -1,5 +1,10 @@
 2014-12-16  Mark Wielaard  <mjw@redhat.com>
 
+	* readelf.c (print_debug_line_section): Correct overflow check for
+	unit_length.
+
+2014-12-16  Mark Wielaard  <mjw@redhat.com>
+
 	* elfcmp.c (compare_Elf32_Word): Make sure (unsigned) Elf32_Word
 	difference doesn't wrap around before returning as int.
 
diff --git a/src/readelf.c b/src/readelf.c
index e9a356d..3c686d5 100644
--- a/src/readelf.c
+++ b/src/readelf.c
@@ -6357,8 +6357,8 @@ print_debug_line_section (Dwfl_Module *dwflmod, Ebl *ebl, GElf_Ehdr *ehdr,
 	}
 
       /* Check whether we have enough room in the section.  */
-      if (unit_length < 2 + length + 5 * 1
-	  || unlikely (linep + unit_length > lineendp))
+      if (unlikely (unit_length > (size_t) (lineendp - linep)
+	  || unit_length < 2 + length + 5 * 1))
 	goto invalid_data;
       lineendp = linep + unit_length;
 
-- 
1.8.3.1


^ permalink raw reply	[flat|nested] only message in thread

only message in thread, other threads:[~2014-12-16 15:12 UTC | newest]

Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2014-12-16 15:12 [PATCH] readelf, libdw: Correct .debug_line overflow check for unit_length Mark Wielaard

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).