Sourceware Bugzilla – Attachment 10856 Details for
Bug 22894
integer overflow in parse_die
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
Proposed patch
pr22894.patch (text/plain), 1.01 KB, created by
Nick Clifton
on 2018-02-27 14:23:03 UTC
(
hide
)
Description:
Proposed patch
Filename:
MIME Type:
Creator:
Nick Clifton
Created:
2018-02-27 14:23:03 UTC
Size:
1.01 KB
patch
obsolete
>diff --git a/bfd/dwarf1.c b/bfd/dwarf1.c >index 71bc57bfdf..f272ea8311 100644 >--- a/bfd/dwarf1.c >+++ b/bfd/dwarf1.c >@@ -213,6 +213,7 @@ parse_die (bfd * abfd, > /* Then the attributes. */ > while (xptr + 2 <= aDiePtrEnd) > { >+ unsigned int block_len; > unsigned short attr; > > /* Parse the attribute based on its form. This section >@@ -255,12 +256,24 @@ parse_die (bfd * abfd, > break; > case FORM_BLOCK2: > if (xptr + 2 <= aDiePtrEnd) >- xptr += bfd_get_16 (abfd, xptr); >+ { >+ block_len = bfd_get_16 (abfd, xptr); >+ if (xptr + block_len > aDiePtrEnd >+ || xptr + block_len < xptr) >+ return FALSE; >+ xptr += block_len; >+ } > xptr += 2; > break; > case FORM_BLOCK4: > if (xptr + 4 <= aDiePtrEnd) >- xptr += bfd_get_32 (abfd, xptr); >+ { >+ block_len = bfd_get_32 (abfd, xptr); >+ if (xptr + block_len > aDiePtrEnd >+ || xptr + block_len < xptr) >+ return FALSE; >+ xptr += block_len; >+ } > xptr += 4; > break; > case FORM_STRING:
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=10856">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 22894
: 10856