Bug 22204

Created attachment 10477 [details]
poc of integer overflow

When I run "nm-new -a -A -D -l -n -P -r -S --size-sort --special-syms --synthetic --with-symbol-versions integer_overflow.elf", it just hangs there and lasts for long time. And When I run ltrace with above command, I find that it call malloc persistly.

And then I debug it with gdb, I finall find the reason in function decode_line_info. Here is the snippet of it:

 /* Decode the table.  */
      while (! end_sequence)
	{
	  op_code = read_1_byte (abfd, line_ptr, line_end);
	  line_ptr += 1;

	  if (op_code >= lh.opcode_base)
	    {
	      /* Special operand.  */
	      adj_opcode = op_code - lh.opcode_base;
	      if (lh.line_range == 0)
		goto line_fail;
	      if (lh.maximum_ops_per_insn == 1)
		address += (adj_opcode / lh.line_range
			    * lh.minimum_instruction_length);
	      else
		{
		  address += ((op_index + adj_opcode / lh.line_range)
			      / lh.maximum_ops_per_insn
			      * lh.minimum_instruction_length);
		  op_index = ((op_index + adj_opcode / lh.line_range)
			      % lh.maximum_ops_per_insn);
		}
2294:	      line += lh.line_base + (adj_opcode % lh.line_range);
	      /* Append row to matrix using current values.  */
	      if (!add_line_info (table, address, op_index, filename,
				  line, column, discriminator, 0))
		goto line_fail;
	      discriminator = 0;
	      if (address < low_pc)
		low_pc = address;
	      if (address > high_pc)
		high_pc = address;
	    }


When I debug the process, the lh.line_base=-5 (int type), while the line is declared a unsigned int with initial value 0, when it meets a specific condition, it just traps in the while loop.

The poc is attached.