Created attachment 6907 [details]
valgrind objdump -Wl extlineop.o

process_extended_line_op (dwarf.c) may overflow its unsigned char *data argument. This can happen because it only detects the end of the buffer by its contents, which are not previously validated. The function could perform better error checking if it would also receive the allocated size of the buffer.

An example input triggering an overflow is attached, along with valgrind output:

==6131== Memcheck, a memory error detector
==6131== Copyright (C) 2002-2010, and GNU GPL'd, by Julian Seward et al.
==6131== Using Valgrind-3.6.1 and LibVEX; rerun with -h for copyright info
==6131== Command: /home/pdm/binutils/binutils/objdump -Wl extlineop.o
==6131== 

extlineop.o:     file format elf64-x86-64

Raw dump of debug contents of section .debug_line:

  Offset:                      0x0
  Length:                      62
  DWARF Version:               2
  Prologue Length:             35
  Minimum Instruction Length:  1
  Initial value of 'is_stmt':  1
  Line Base:                   1
  Line Range:                  1
  Opcode Base:                 16

 Opcodes:
  Opcode 1 has 0 args
  Opcode 2 has 1 args
  Opcode 3 has 1 args
  Opcode 4 has 1 args
  Opcode 5 has 1 args
  Opcode 6 has 0 args
  Opcode 7 has 0 args
  Opcode 8 has 0 args
  Opcode 9 has 1 args
  Opcode 10 has 0 args
  Opcode 11 has 0 args
  Opcode 12 has 1 args
  Opcode 13 has 0 args
  Opcode 14 has 0 args
  Opcode 15 has 0 args

 The Directory Table is empty.

 The File Name Table:
  Entry	Dir	Time	Size	Name
  1	0	0	0	file1.txt

 Line Number Statements:
  Extended opcode 2: set Address to 0x4
  Advance Line by 3 to 4
  Copy
  Copy
  Extended opcode 2: set Address to 0x8
==6131== Invalid read of size 1
==6131==    at 0x40BC80: display_debug_lines (dwarf.c:423)
==6131==    by 0x407D55: dump_dwarf_section (objdump.c:2364)
==6131==    by 0x445D8B: bfd_map_over_sections (section.c:1330)
==6131==    by 0x4068A2: dump_dwarf (objdump.c:2411)
==6131==    by 0x406CCF: dump_bfd (objdump.c:3242)
==6131==    by 0x407477: display_any_bfd (objdump.c:3329)
==6131==    by 0x4079B7: display_file.part.3 (objdump.c:3404)
==6131==    by 0x4084C6: main (objdump.c:3393)
==6131==  Address 0x4c2bab2 is 0 bytes after a block of size 66 alloc'd
==6131==    at 0x4A074CD: malloc (vg_replace_malloc.c:236)
==6131==    by 0x443575: bfd_malloc (libbfd.c:183)
==6131==    by 0x4541C7: bfd_get_full_section_contents (compress.c:181)
==6131==    by 0x407AD3: load_specific_debug_section (objdump.c:2264)
==6131==    by 0x407D3C: dump_dwarf_section (objdump.c:2361)
==6131==    by 0x445D8B: bfd_map_over_sections (section.c:1330)
==6131==    by 0x4068A2: dump_dwarf (objdump.c:2411)
==6131==    by 0x406CCF: dump_bfd (objdump.c:3242)
==6131==    by 0x407477: display_any_bfd (objdump.c:3329)
==6131==    by 0x4079B7: display_file.part.3 (objdump.c:3404)
==6131==    by 0x4084C6: main (objdump.c:3393)
==6131== 
  Extended opcode 0: UNKNOWN: length 1 [ 00]

==6131== 
==6131== HEAP SUMMARY:
==6131==     in use at exit: 0 bytes in 0 blocks
==6131==   total heap usage: 119 allocs, 119 frees, 65,486 bytes allocated
==6131== 
==6131== All heap blocks were freed -- no leaks are possible
==6131== 
==6131== For counts of detected and suppressed errors, rerun with: -v
==6131== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 2 from 2)