From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (qmail 106258 invoked by alias); 25 Jan 2018 13:35:01 -0000 Mailing-List: contact elfutils-devel-help@sourceware.org; run by ezmlm Precedence: bulk List-Id: List-Post: List-Help: List-Subscribe: Sender: elfutils-devel-owner@sourceware.org Received: (qmail 105624 invoked by uid 89); 25 Jan 2018 13:35:01 -0000 Authentication-Results: sourceware.org; auth=none X-Virus-Checked: by ClamAV 0.99.2 on sourceware.org X-Virus-Found: No X-Spam-SWARE-Status: No, score=-25.9 required=5.0 tests=BAYES_00,GIT_PATCH_0,GIT_PATCH_1,GIT_PATCH_2,GIT_PATCH_3,KAM_LAZY_DOMAIN_SECURITY autolearn=ham version=3.3.2 spammy= X-Spam-Status: No, score=-25.9 required=5.0 tests=BAYES_00,GIT_PATCH_0,GIT_PATCH_1,GIT_PATCH_2,GIT_PATCH_3,KAM_LAZY_DOMAIN_SECURITY autolearn=ham version=3.3.2 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on sourceware.org X-Spam-Level: X-HELO: gnu.wildebeest.org Received: from wildebeest.demon.nl (HELO gnu.wildebeest.org) (212.238.236.112) by sourceware.org (qpsmtpd/0.93/v0.84-503-g423c35a) with ESMTP; Thu, 25 Jan 2018 13:34:59 +0000 Received: from tarox.wildebeest.org (tarox.wildebeest.org [172.31.17.39]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by gnu.wildebeest.org (Postfix) with ESMTPSA id DF5173000B07; Thu, 25 Jan 2018 14:34:56 +0100 (CET) Received: by tarox.wildebeest.org (Postfix, from userid 1000) id 7FD1D4000B15; Thu, 25 Jan 2018 14:34:56 +0100 (CET) From: Mark Wielaard To: elfutils-devel@sourceware.org Cc: Mark Wielaard Subject: [COMMITTED] readelf: Fix crash on reading loc data or range data with bad/no CUs. Date: Thu, 25 Jan 2018 13:35:00 -0000 Message-Id: <1516887294-21443-1-git-send-email-mark@klomp.org> X-Mailer: git-send-email 1.8.3.1 X-Spam-Flag: NO X-IsSubscribed: yes X-SW-Source: 2018-q1/txt/msg00012.txt.bz2 In print_debug_ranges_section and print_debug_loc_section we try to get the associated CU through skip_listptr_hole for the first data data. If no CU at all can be found (because the .debug_info section was bogus) this would keep the Dwarf_CU uninitialized causing a crash later on when it was compared to the last_cu and used because it was unequal. Fix this by explicitly initializing cu to last_cu (which is NULL on first use). Signed-off-by: Mark Wielaard --- src/ChangeLog | 5 +++++ src/readelf.c | 4 ++-- 2 files changed, 7 insertions(+), 2 deletions(-) diff --git a/src/ChangeLog b/src/ChangeLog index 49b0cc0..a0bb7a2 100644 --- a/src/ChangeLog +++ b/src/ChangeLog @@ -1,3 +1,8 @@ +2018-01-25 Mark Wielaard + + * readelf.c (print_debug_ranges_section): Initialize cu to last_cu. + (print_debug_loc_section): Likewise. + 2018-01-01 Mark Wielaard * readelf.c (attr_callback): Use dwarf_form_name for unknown forms. diff --git a/src/readelf.c b/src/readelf.c index 4bdaef2..6c49d30 100644 --- a/src/readelf.c +++ b/src/readelf.c @@ -5014,7 +5014,7 @@ print_debug_ranges_section (Dwfl_Module *dwflmod, while (readp < endp) { ptrdiff_t offset = readp - (unsigned char *) data->d_buf; - Dwarf_CU *cu; + Dwarf_CU *cu = last_cu; if (first && skip_listptr_hole (&known_rangelistptr, &listptr_idx, &address_size, NULL, &base, &cu, @@ -7140,7 +7140,7 @@ print_debug_loc_section (Dwfl_Module *dwflmod, while (readp < endp) { ptrdiff_t offset = readp - (unsigned char *) data->d_buf; - Dwarf_CU *cu; + Dwarf_CU *cu = last_cu; if (first && skip_listptr_hole (&known_loclistptr, &listptr_idx, &address_size, &offset_size, &base, -- 1.8.3.1