Make sure cie and fde end point to sane values in while doing unwind_frame.

* runtime/unwind.c (unwind_frame): Check end read from cie or fde doesn't
  go passed end of unwind table.

diff --git a/runtime/unwind.c b/runtime/unwind.c
index 0b4e6a9effeb6dc00cc03d391082d81fee2f0a98..0e95ba08c991ddd0786a86a0763496b0401de9e5 100644 (file)
--- a/runtime/unwind.c
+++ b/runtime/unwind.c
@@ -677,6 +677,12 @@ static int unwind_frame(struct unwind_frame_info *frame,
        state.cieEnd = ptr;     /* keep here temporarily */
        ptr = (const u8 *)(cie + 2);
        end = (const u8 *)(cie + 1) + *cie;
+
+       /* end should fall within unwind table. */
+       if (((void *)end) < table
+           || ((void *)end) > ((void *)(table + table_len)))
+         goto err;
+
        frame->call_frame = 1;
        if ((state.version = *ptr) != 1) {
                dbug_unwind(1, "CIE version number is %d.  1 is supported.\n", state.version);
@@ -734,6 +740,11 @@ static int unwind_frame(struct unwind_frame_info *frame,
        state.cieEnd = end;
        end = (const u8 *)(fde + 1) + *fde;
 
+       /* end should fall within unwind table. */
+       if (((void*)end) < table
+           || ((void *)end) > ((void *)(table + table_len)))
+         goto err;
+
        /* skip augmentation */
        if (((const char *)(cie + 2))[1] == 'z') {
                uleb128_t augSize = get_uleb128(&ptr, end);