Bug 33639 - objdump enters non-terminating output loop on crafted input
Summary: objdump enters non-terminating output loop on crafted input
Status: RESOLVED FIXED
Alias: None
Product: binutils
Classification: Unclassified
Component: binutils (show other bugs)
Version: 2.44
: P2 normal
Target Milestone: 2.46
Assignee: Alan Modra
URL:
Keywords:
: 33640 (view as bug list)
Depends on:
Blocks:
 
Reported: 2025-11-17 01:55 UTC by 970429025
Modified: 2026-03-06 01:47 UTC (History)
0 users

See Also:
Host:
Target:
Build:
Last reconfirmed: 2025-11-20 00:00:00
Project(s) to access:
ssh public key:

Attachments
The PoC attachment contains the input file (Infinite_Loop_2) that triggers this behavior. (2.24 KB, application/x-zip-compressed)
2025-11-17 01:55 UTC, 970429025 		Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description 970429025 2025-11-17 01:55:36 UTC 
Created attachment 16470 [details]
The PoC attachment contains the input file (Infinite_Loop_2) that triggers this behavior.

Overview
Running objdump with the provided input causes the program to repeatedly print table information without terminating.
The program does not crash, but continues producing similar output until manually interrupted.

Steps to Reproduce:
./objdump --debugging Infinite_Loop_2

Actual Results:
objdump prints repeated table entries such as:
Table at Offset 0x4dcc84
  Length:          0
  DWARF version:   0
  Address size:    0
  Segment size:    0
  Offset entries:  0

Table at Offset 0x4dcc88
  Length:          0
  ...
This behavior continues indefinitely.
The program does not exit and must be stopped manually (e.g., Ctrl-C in gdb).

Relevant GDB excerpt:
Table at Offset 0x4dcc84
  Length:          0
  DWARF version:   0
  Address size:    0
  Segment size:    0
  Offset entries:  0

Table at Offset 0x4dcc88
  Length:          0
  DWARF version:   0
  Address size:    0
  Segment size:    0
  Offset entries:  0

Table at Offset 0x4dcc8c
  Length:          0
  DWARF version:   0
  Address size:    0
  Segment size:    0
  Offset entries:  0

Table at Offset 0x4dcc90
^C
Program received signal SIGINT, Interrupt.
0x000071323bc55104 in __GI___libc_write (fd=1, buf=0x42d8d510, nbytes=21) at ../sysdeps/unix/sysv/linux/write.c:27
27      ../sysdeps/unix/sysv/linux/write.c: No such file or directory.
(gdb) bt
#0  0x000071323bc55104 in __GI___libc_write (fd=1, buf=0x42d8d510, nbytes=21) at ../sysdeps/unix/sysv/linux/write.c:27
#1  0x000071323bbd015d in _IO_new_file_write (f=0x71323bf31760 <_IO_2_1_stdout_>, data=0x42d8d510, n=21) at fileops.c:1203
#2  0x000071323bbd1f01 in new_do_write (to_do=21, data=0x42d8d510 "  Length:          0\nc90\ng at 0xc:\ntion (loaded from Infinite_Loop_2):\n\n\240\f\363;2q",
    fp=0x71323bf31760 <_IO_2_1_stdout_>) at fileops.c:457
#3  _IO_new_do_write (fp=0x71323bf31760 <_IO_2_1_stdout_>, data=0x42d8d510 "  Length:          0\nc90\ng at 0xc:\ntion (loaded from Infinite_Loop_2):\n\n\240\f\363;2q", to_do=21)
    at fileops.c:433
#4  0x000071323bbd098d in _IO_new_file_xsputn (f=0x71323bf31760 <_IO_2_1_stdout_>, data=<optimized out>, n=1) at fileops.c:1266
#5  0x000071323bba097a in _IO_vfprintf_internal (s=0x71323bf31760 <_IO_2_1_stdout_>, format=0x78ee76 "  Length:          %#lx\n", ap=ap@entry=0x7ffd290bfaf0) at vfprintf.c:1674
#6  0x000071323bba9ee6 in __printf (format=<optimized out>) at printf.c:33
#7  0x00000000004940ee in display_loclists_unit_header (section=section@entry=0xadf480 <debug_displays+1568>, header_offset=5098640,
    offset_count=offset_count@entry=0x7ffd290bfc6c, loclists_start=loclists_start@entry=0x7ffd290bfcb8) at ../../binutils-2.44/binutils/dwarf.c:7276
#8  0x0000000000469d2e in display_debug_loc (section=section@entry=0xadf480 <debug_displays+1568>, file=file@entry=0x42d793f0) at ../../binutils-2.44/binutils/dwarf.c:7486
#9  0x000000000043f9aa in dump_dwarf_section (abfd=abfd@entry=0x42d793f0, section=section@entry=0x42d7f868, arg=arg@entry=0x7ffd290bfdf8)
    at ../../binutils-2.44/binutils/objdump.c:4499
#10 0x000000000055b5e4 in bfd_map_over_sections (abfd=abfd@entry=0x42d793f0, operation=0x43f6c0 <dump_dwarf_section>, user_storage=user_storage@entry=0x7ffd290bfdf8)
    at ../../binutils-2.44/bfd/section.c:1391
#11 0x000000000043b2e1 in dump_dwarf (abfd=0x42d793f0, is_mainfile=true) at ../../binutils-2.44/binutils/objdump.c:4537
#12 dump_bfd (abfd=abfd@entry=0x42d793f0, is_mainfile=true) at ../../binutils-2.44/binutils/objdump.c:5818
#13 0x0000000000439724 in display_object_bfd (abfd=abfd@entry=0x42d793f0) at ../../binutils-2.44/binutils/objdump.c:5855
#14 0x00000000004394f1 in display_any_bfd (file=file@entry=0x42d793f0, level=level@entry=0) at ../../binutils-2.44/binutils/objdump.c:5934
#15 0x000000000043767c in display_file (filename=0x7ffd290c054a "Infinite_Loop_2", target=0x0) at ../../binutils-2.44/binutils/objdump.c:5955
#16 main (argc=<optimized out>, argv=<optimized out>) at ../../binutils-2.44/binutils/objdump.c:6364
(gdb)


Expected Results:
objdump should stop processing and report an error if the input is invalid, rather than producing unbounded output.

Build & Platform:
binutils version: 2.44
component: objdump
OS: Ubuntu 18.04.6 LTS
arch: x86_64

Additional Information:
The PoC attachment contains the input file (Infinite_Loop_2) that triggers this behavior.
The issue is fully reproducible using the command shown above.
Comment 1 970429025 2025-11-17 02:24:28 UTC 
Iā€™m aware that options like --debug-dump may produce a lot of output, but in this case the input file is small and objdump keeps printing similar table entries for at least ten minutes without terminating, which does not look like expected verbose behavior.
Comment 2 Sourceware Commits 2025-11-21 23:34:34 UTC 
The master branch has been updated by Alan Modra <amodra@sourceware.org>:

https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=455446bbdc8675f34808187de2bbad4682016ff7

commit 455446bbdc8675f34808187de2bbad4682016ff7
Author: Alan Modra <amodra@gmail.com>
Date:   Sat Nov 22 09:52:18 2025 +1030

    PR 33639 .debug_loclists output
    
    The fuzzed testcase in this PR prints an almost endless table of
    offsets, due to a bogus offset count.  Limit that count, and the total
    length too.
    
            PR 33639
            * dwarf.c (display_loclists_unit_header): Return error on
            length too small to read header.  Limit length to section
            size.  Limit offset count similarly.
Comment 3 Alan Modra 2025-11-22 04:20:52 UTC 
Fixed for 2.46
Comment 4 Alan Modra 2025-11-22 04:28:48 UTC 
*** Bug 33640 has been marked as a duplicate of this bug. ***
Comment 5 Alan Modra 2025-11-22 06:32:51 UTC 
.
Comment 6 970429025 2026-03-06 01:47:31 UTC 
This issue has been assigned CVE-2025-69644