This is the mail archive of the
binutils-cvs@sourceware.org
mailing list for the binutils project.
[binutils-gdb] Fix address violations when parsing a corrupt DWARF linenumber table.
- From: Nick Clifton <nickc at sourceware dot org>
- To: bfd-cvs at sourceware dot org
- Date: 26 Sep 2017 11:15:27 -0000
- Subject: [binutils-gdb] Fix address violations when parsing a corrupt DWARF linenumber table.
https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=5c1c468d0eddd0fda1ec8c5f33888657f94e3266
commit 5c1c468d0eddd0fda1ec8c5f33888657f94e3266
Author: Nick Clifton <nickc@redhat.com>
Date: Tue Sep 26 12:14:42 2017 +0100
Fix address violations when parsing a corrupt DWARF linenumber table.
PR 22154
* dwarf.c (get_line_filename_and_dirname): Add extra checks for
buffer overruns.
Diff:
---
binutils/ChangeLog | 6 ++++++
binutils/dwarf.c | 21 ++++++++++++++++-----
2 files changed, 22 insertions(+), 5 deletions(-)
diff --git a/binutils/ChangeLog b/binutils/ChangeLog
index 80fff9c..dc4faf5 100644
--- a/binutils/ChangeLog
+++ b/binutils/ChangeLog
@@ -1,5 +1,11 @@
2017-09-26 Nick Clifton <nickc@redhat.com>
+ PR 22154
+ * dwarf.c (get_line_filename_and_dirname): Add extra checks for
+ buffer overruns.
+
+2017-09-26 Nick Clifton <nickc@redhat.com>
+
* README-how-to-make-a-release: New file.
2017-09-26 Alan Modra <amodra@gmail.com>
diff --git a/binutils/dwarf.c b/binutils/dwarf.c
index d4156e4..edc65aa 100644
--- a/binutils/dwarf.c
+++ b/binutils/dwarf.c
@@ -4742,13 +4742,21 @@ get_line_filename_and_dirname (dwarf_vma line_offset,
return NULL;
hdrptr += opcode_base - 1;
+ if (hdrptr >= end)
+ return NULL;
+
dirtable = hdrptr;
/* Skip over dirname table. */
while (*hdrptr != '\0')
- hdrptr += strnlen ((char *) hdrptr, end - hdrptr) + 1;
+ {
+ hdrptr += strnlen ((char *) hdrptr, end - hdrptr) + 1;
+ if (hdrptr >= end)
+ return NULL;
+ }
hdrptr++; /* Skip the NUL at the end of the table. */
+
/* Now skip over preceding filename table entries. */
- for (; *hdrptr != '\0' && fileidx > 1; fileidx--)
+ for (; hdrptr < end && *hdrptr != '\0' && fileidx > 1; fileidx--)
{
hdrptr += strnlen ((char *) hdrptr, end - hdrptr) + 1;
read_uleb128 (hdrptr, &bytes_read, end);
@@ -4758,16 +4766,19 @@ get_line_filename_and_dirname (dwarf_vma line_offset,
read_uleb128 (hdrptr, &bytes_read, end);
hdrptr += bytes_read;
}
- if (hdrptr == end || *hdrptr == '\0')
+ if (hdrptr >= end || *hdrptr == '\0')
return NULL;
+
file_name = hdrptr;
hdrptr += strnlen ((char *) hdrptr, end - hdrptr) + 1;
+ if (hdrptr >= end)
+ return NULL;
diridx = read_uleb128 (hdrptr, &bytes_read, end);
if (diridx == 0)
return file_name;
- for (; *dirtable != '\0' && diridx > 1; diridx--)
+ for (; dirtable < end && *dirtable != '\0' && diridx > 1; diridx--)
dirtable += strnlen ((char *) dirtable, end - dirtable) + 1;
- if (*dirtable == '\0')
+ if (dirtable >= end || *dirtable == '\0')
return NULL;
*dir_name = dirtable;
return file_name;