Sourceware Bugzilla – Attachment 11961 Details for
Bug 24829
readelf: multi interger overflow in readelf.c and dwarf.c
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
Another patch
pr24829.patch (text/plain), 3.24 KB, created by
Nick Clifton
on 2019-08-22 15:07:10 UTC
(
hide
)
Description:
Another patch
Filename:
MIME Type:
Creator:
Nick Clifton
Created:
2019-08-22 15:07:10 UTC
Size:
3.24 KB
patch
obsolete
>diff --git a/binutils/dwarf.c b/binutils/dwarf.c >index b36406c0e3..afffcab9d1 100644 >--- a/binutils/dwarf.c >+++ b/binutils/dwarf.c >@@ -1832,6 +1832,34 @@ free_dwo_info (void) > first_dwo_info = NULL; > } > >+/* Ensure that START + UVALUE is less than END. >+ Return an adjusted UVALUE if necessary to ensure this relationship. */ >+ >+static inline dwarf_vma >+check_uvalue (const unsigned char * start, >+ dwarf_vma uvalue, >+ const unsigned char * end) >+{ >+ dwarf_vma max_uvalue = end - start; >+ >+ /* FIXME: Testing "(start + uvalue) < start" miscompiles with gcc 4.8.3 >+ running on an x86_64 host in 32-bit mode. So we pre-compute start + >+ uvalue here. */ >+ const unsigned char * ptr = start + uvalue; >+ >+ /* See PR 17512: file: 008-103549-0.001:0.1. >+ and PR 24829 for example of where these tests are triggered. */ >+ if (uvalue > max_uvalue >+ || ptr > end >+ || ptr < start) >+ { >+ warn (_("Corrupt attribute block length: %lx\n"), (long) uvalue); >+ uvalue = max_uvalue; >+ } >+ >+ return uvalue; >+} >+ > static unsigned char * > read_and_display_attr_value (unsigned long attribute, > unsigned long form, >@@ -2056,16 +2084,9 @@ read_and_display_attr_value (unsigned long attribute, > uvalue = 0; > block_start = end; > } >- /* FIXME: Testing "(block_start + uvalue) < block_start" miscompiles with >- gcc 4.8.3 running on an x86_64 host in 32-bit mode. So we pre-compute >- block_start + uvalue here. */ >- data = block_start + uvalue; >- /* PR 17512: file: 008-103549-0.001:0.1. */ >- if (block_start + uvalue > end || data < block_start) >- { >- warn (_("Corrupt attribute block length: %lx\n"), (long) uvalue); >- uvalue = end - block_start; >- } >+ >+ uvalue = check_uvalue (block_start, uvalue, end); >+ > if (do_loc) > data = block_start + uvalue; > else >@@ -2081,12 +2102,9 @@ read_and_display_attr_value (unsigned long attribute, > uvalue = 0; > block_start = end; > } >- data = block_start + uvalue; >- if (block_start + uvalue > end || data < block_start) >- { >- warn (_("Corrupt attribute block length: %lx\n"), (long) uvalue); >- uvalue = end - block_start; >- } >+ >+ uvalue = check_uvalue (block_start, uvalue, end); >+ > if (do_loc) > data = block_start + uvalue; > else >@@ -2102,12 +2120,9 @@ read_and_display_attr_value (unsigned long attribute, > uvalue = 0; > block_start = end; > } >- data = block_start + uvalue; >- if (block_start + uvalue > end || data < block_start) >- { >- warn (_("Corrupt attribute block length: %lx\n"), (long) uvalue); >- uvalue = end - block_start; >- } >+ >+ uvalue = check_uvalue (block_start, uvalue, end); >+ > if (do_loc) > data = block_start + uvalue; > else >@@ -2124,14 +2139,9 @@ read_and_display_attr_value (unsigned long attribute, > uvalue = 0; > block_start = end; > } >- data = block_start + uvalue; >- if (block_start + uvalue > end >- /* PR 17531: file: 5b5f0592. */ >- || data < block_start) >- { >- warn (_("Corrupt attribute block length: %lx\n"), (long) uvalue); >- uvalue = end - block_start; >- } >+ >+ uvalue = check_uvalue (block_start, uvalue, end); >+ > if (do_loc) > data = block_start + uvalue; > else
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=11961">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 24829
:
11914
|
11922
|
11954
| 11961