* [PATCH] libdw: dwarf_getaranges check there is enough data before reading.
@ 2015-05-05 8:17 Mark Wielaard
0 siblings, 0 replies; 2+ messages in thread
From: Mark Wielaard @ 2015-05-05 8:17 UTC (permalink / raw)
To: elfutils-devel
[-- Attachment #1: Type: text/plain, Size: 2228 bytes --]
https://bugzilla.redhat.com/show_bug.cgi?id=1170810#c30
Signed-off-by: Mark Wielaard <mjw@redhat.com>
---
libdw/ChangeLog | 5 +++++
libdw/dwarf_getaranges.c | 14 +++++++++++++-
2 files changed, 18 insertions(+), 1 deletion(-)
diff --git a/libdw/ChangeLog b/libdw/ChangeLog
index fd3e4ad..f5dfc8f 100644
--- a/libdw/ChangeLog
+++ b/libdw/ChangeLog
@@ -1,3 +1,8 @@
+2015-05-05 Mark Wielaard <mjw@redhat.com>
+
+ * dwarf_getaranges.c (dwarf_getaranges): Check there is enough data
+ left before reading values.
+
2015-05-04 Anthony G. Basile <blueness@gentoo.org>
* Makefile.am (libdw_so_SOURCES): Append $(argp_LDADD) to link
diff --git a/libdw/dwarf_getaranges.c b/libdw/dwarf_getaranges.c
index 4953af5..c03e946 100644
--- a/libdw/dwarf_getaranges.c
+++ b/libdw/dwarf_getaranges.c
@@ -110,10 +110,16 @@ dwarf_getaranges (dbg, aranges, naranges)
5. A 1-byte unsigned integer containing the size in bytes of
a segment descriptor on the target system. */
+ if (readp + 4 > readendp)
+ goto invalid;
+
Dwarf_Word length = read_4ubyte_unaligned_inc (dbg, readp);
unsigned int length_bytes = 4;
if (length == DWARF3_LENGTH_64_BIT)
{
+ if (readp + 8 > readendp)
+ goto invalid;
+
length = read_8ubyte_unaligned_inc (dbg, readp);
length_bytes = 8;
}
@@ -121,6 +127,9 @@ dwarf_getaranges (dbg, aranges, naranges)
&& length <= DWARF3_LENGTH_MAX_ESCAPE_CODE))
goto invalid;
+ if (readp + 2 > readendp)
+ goto invalid;
+
unsigned int version = read_2ubyte_unaligned_inc (dbg, readp);
if (version != 2)
{
@@ -136,7 +145,7 @@ dwarf_getaranges (dbg, aranges, naranges)
return -1;
}
- Dwarf_Word offset;
+ Dwarf_Word offset = 0;
if (__libdw_read_offset_inc (dbg,
IDX_debug_aranges, &readp,
length_bytes, &offset, IDX_debug_info, 4))
@@ -164,6 +173,9 @@ dwarf_getaranges (dbg, aranges, naranges)
address_size, &range_address))
goto fail;
+ if (readp + address_size > readendp)
+ goto invalid;
+
if (address_size == 4)
range_length = read_4ubyte_unaligned_inc (dbg, readp);
else
--
2.1.0
^ permalink raw reply [flat|nested] 2+ messages in thread
* Re: [PATCH] libdw: dwarf_getaranges check there is enough data before reading.
@ 2015-05-12 14:40 Mark Wielaard
0 siblings, 0 replies; 2+ messages in thread
From: Mark Wielaard @ 2015-05-12 14:40 UTC (permalink / raw)
To: elfutils-devel
[-- Attachment #1: Type: text/plain, Size: 164 bytes --]
On Tue, 2015-05-05 at 10:17 +0200, Mark Wielaard wrote:
> https://bugzilla.redhat.com/show_bug.cgi?id=1170810#c30
Pushed, wrapping the new checks in unlikely.
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2015-05-12 14:40 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2015-05-05 8:17 [PATCH] libdw: dwarf_getaranges check there is enough data before reading Mark Wielaard
2015-05-12 14:40 Mark Wielaard
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).