From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (qmail 26757 invoked by alias); 5 Jun 2018 20:33:15 -0000 Mailing-List: contact elfutils-devel-help@sourceware.org; run by ezmlm Precedence: bulk List-Id: List-Post: List-Help: List-Subscribe: Sender: elfutils-devel-owner@sourceware.org Received: (qmail 26436 invoked by uid 89); 5 Jun 2018 20:33:12 -0000 Authentication-Results: sourceware.org; auth=none X-Virus-Checked: by ClamAV 0.99.4 on sourceware.org X-Virus-Found: No X-Spam-SWARE-Status: No, score=-26.9 required=5.0 tests=BAYES_00,GIT_PATCH_0,GIT_PATCH_1,GIT_PATCH_2,GIT_PATCH_3,RCVD_IN_DNSWL_NONE,SPF_PASS autolearn=ham version=3.3.2 spammy= X-Spam-Status: No, score=-26.9 required=5.0 tests=BAYES_00,GIT_PATCH_0,GIT_PATCH_1,GIT_PATCH_2,GIT_PATCH_3,RCVD_IN_DNSWL_NONE,SPF_PASS autolearn=ham version=3.3.2 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on sourceware.org X-Spam-Level: X-HELO: gnu.wildebeest.org Received: from wildebeest.demon.nl (HELO gnu.wildebeest.org) (212.238.236.112) by sourceware.org (qpsmtpd/0.93/v0.84-503-g423c35a) with ESMTP; Tue, 05 Jun 2018 20:33:11 +0000 Received: from tarox.wildebeest.org (tarox.wildebeest.org [172.31.17.39]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by gnu.wildebeest.org (Postfix) with ESMTPSA id AE4D630DD240; Tue, 5 Jun 2018 22:33:08 +0200 (CEST) Received: by tarox.wildebeest.org (Postfix, from userid 1000) id 75C9A418ABCC; Tue, 5 Jun 2018 22:33:08 +0200 (CEST) From: Mark Wielaard To: elfutils-devel@sourceware.org Cc: Mark Wielaard Subject: [PATCH] libdw: Make sure dirarray is always properly freed in dwarf_getsrclines. Date: Tue, 05 Jun 2018 20:33:00 -0000 Message-Id: <1528230786-5399-1-git-send-email-mark@klomp.org> X-Mailer: git-send-email 1.8.3.1 X-Spam-Flag: NO X-IsSubscribed: yes X-SW-Source: 2018-q2/txt/msg00153.txt.bz2 If there were more than 256 directories in the table and there was illegal DWARF before we read them all, then we might not free the dirarray (or the wrong one). Fix by defining the dirarray early (before the first data sanity check) and making sure it is not (still) equal to dirstack before freeing. Signed-off-by: Mark Wielaard --- libdw/ChangeLog | 6 ++++++ libdw/dwarf_getsrclines.c | 21 ++++++++++++--------- 2 files changed, 18 insertions(+), 9 deletions(-) diff --git a/libdw/ChangeLog b/libdw/ChangeLog index b9f177d..f0ce901 100644 --- a/libdw/ChangeLog +++ b/libdw/ChangeLog @@ -1,5 +1,11 @@ 2018-06-05 Mark Wielaard + * dwarf_getsrclines.c (read_srclines): Define dirarray early and + check whether or not it is equal to dirstack on exit/out before + cleanup. + +2018-06-05 Mark Wielaard + * dwarf_getalt.c (find_debug_altlink): id_path array should be 2 larger to contain MAX_BUILD_ID_BYTES. diff --git a/libdw/dwarf_getsrclines.c b/libdw/dwarf_getsrclines.c index 790d4e4..0c2efaa 100644 --- a/libdw/dwarf_getsrclines.c +++ b/libdw/dwarf_getsrclines.c @@ -182,6 +182,17 @@ read_srclines (Dwarf *dbg, .discriminator = 0 }; + /* The dirs normally go on the stack, but if there are too many + we alloc them all. Set up stack storage early, so we can check on + error if we need to free them or not. */ + struct dirlist + { + const char *dir; + size_t len; + }; + struct dirlist dirstack[MAX_STACK_DIRS]; + struct dirlist *dirarray = dirstack; + if (unlikely (linep + 4 > lineendp)) { invalid_data: @@ -347,14 +358,6 @@ read_srclines (Dwarf *dbg, goto invalid_data; } - struct dirlist - { - const char *dir; - size_t len; - }; - struct dirlist dirstack[MAX_STACK_DIRS]; - struct dirlist *dirarray = dirstack; - /* Arrange the list in array form. */ ndirlist = ndirs; if (ndirlist >= MAX_STACK_DIRS) @@ -1051,7 +1054,7 @@ read_srclines (Dwarf *dbg, free (state.linelist); state.linelist = ll; } - if (ndirlist >= MAX_STACK_DIRS) + if (dirarray != dirstack) free (dirarray); for (size_t i = MAX_STACK_FILES; i < nfilelist; i++) { -- 1.8.3.1