Created attachment 10490 [details] poc of infinite loop When I run "objdump -x -D -S -s -g -e -G --dwarf -t -T -r -R --special-syms --inlines --dwarf-check loop.elf", it traps into function process_debug_info. Some of the function snippet is here: for (section_begin = start, unit = 0; start < end; unit++) { ...... start += compunit.cu_length + initial_length_size; ...... } When I debug it with gdb, I can see that compuint.cu_length = 0xfffffff4 and initial_length_size =12 which leads to start +=0 each loop. Maybe there is an integer overflow here. The poc is attached here.
The master branch has been updated by Nick Clifton <nickc@sourceware.org>: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=19485196044b2521af979f1e5c4a89bfb90fba0b commit 19485196044b2521af979f1e5c4a89bfb90fba0b Author: Nick Clifton <nickc@redhat.com> Date: Wed Sep 27 10:42:51 2017 +0100 Prevent an infinite loop in the DWARF parsing code when encountering a CU structure with a small negative size. PR 22219 * dwarf.c (process_debug_info): Add a check for a negative cu_length field.
Hi Skysider, Thanks for reporting this bug. I have checked in a patch to test for negative lengths in the comp_unit structure, which will prevent this infinite loop from happening again. Cheers Nick