From: Mark Wielaard <mjw@redhat.com>
Date: Tue, 20 Oct 2009 14:55:04 +0000 (+0200)
Subject: Make sure cie and fde end point to sane values in while doing unwind_frame.
X-Git-Tag: release-1.0.9~83^2~25^2~1
X-Git-Url: https://sourceware.org/git/?a=commitdiff_plain;h=1adb61a4e1313b178f2db7d5ce766a505c073a24;p=systemtap.git

Make sure cie and fde end point to sane values in while doing unwind_frame.

* runtime/unwind.c (unwind_frame): Check end read from cie or fde doesn't
  go passed end of unwind table.
---

diff --git a/runtime/unwind.c b/runtime/unwind.c
index 0b4e6a9ef..0e95ba08c 100644
--- a/runtime/unwind.c
+++ b/runtime/unwind.c
@@ -677,6 +677,12 @@ static int unwind_frame(struct unwind_frame_info *frame,
 	state.cieEnd = ptr;	/* keep here temporarily */
 	ptr = (const u8 *)(cie + 2);
 	end = (const u8 *)(cie + 1) + *cie;
+
+	/* end should fall within unwind table. */
+	if (((void *)end) < table
+	    || ((void *)end) > ((void *)(table + table_len)))
+	  goto err;
+
 	frame->call_frame = 1;
 	if ((state.version = *ptr) != 1) {
 		dbug_unwind(1, "CIE version number is %d.  1 is supported.\n", state.version);
@@ -734,6 +740,11 @@ static int unwind_frame(struct unwind_frame_info *frame,
 	state.cieEnd = end;
 	end = (const u8 *)(fde + 1) + *fde;
 
+	/* end should fall within unwind table. */
+	if (((void*)end) < table
+	    || ((void *)end) > ((void *)(table + table_len)))
+	  goto err;
+
 	/* skip augmentation */
 	if (((const char *)(cie + 2))[1] == 'z') {
 		uleb128_t augSize = get_uleb128(&ptr, end);