This is the mail archive of the
elfutils-devel@sourceware.org
mailing list for the elfutils project.
[Bug tools/24116] A Heap-buffer-overflow problem was discovered in the function print_debug_line_section in readelf.c
- From: "mark at klomp dot org" <sourceware-bugzilla at sourceware dot org>
- To: elfutils-devel at sourceware dot org
- Date: Tue, 22 Jan 2019 17:18:30 +0000
- Subject: [Bug tools/24116] A Heap-buffer-overflow problem was discovered in the function print_debug_line_section in readelf.c
- Auto-submitted: auto-generated
- References: <bug-24116-10460@http.sourceware.org/bugzilla/>
https://sourceware.org/bugzilla/show_bug.cgi?id=24116
Mark Wielaard <mark at klomp dot org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|UNCONFIRMED |RESOLVED
CC| |mark at klomp dot org
Resolution|--- |FIXED
--- Comment #3 from Mark Wielaard <mark at klomp dot org> ---
Yeah, we should check the unknown parameters are actually there.
Luckily other checks make sure we don't read more than one byte past the end of
the data.
commit a17c2c0917901ffa542ac4d3e327d46742219e04
Author: Mark Wielaard <mark@klomp.org>
Date: Tue Jan 22 15:55:18 2019 +0100
readelf: Don't go past end of line data reading unknown opcode parameters.
https://sourceware.org/bugzilla/show_bug.cgi?id=24116
Signed-off-by: Mark Wielaard <mark@klomp.org>
diff --git a/src/readelf.c b/src/readelf.c
index 6bad3bf..e3e699c 100644
--- a/src/readelf.c
+++ b/src/readelf.c
@@ -8845,7 +8845,8 @@ print_debug_line_section (Dwfl_Module *dwflmod, Ebl *ebl,
GElf_Ehdr *ehdr,
" unknown opcode with %" PRIu8 " parameters:",
standard_opcode_lengths[opcode]),
standard_opcode_lengths[opcode]);
- for (int n = standard_opcode_lengths[opcode]; n > 0; --n)
+ for (int n = standard_opcode_lengths[opcode];
+ n > 0 && linep < lineendp; --n)
{
get_uleb128 (u128, linep, lineendp);
if (n != standard_opcode_lengths[opcode])
--
You are receiving this mail because:
You are on the CC list for the bug.