This is the mail archive of the
binutils@sourceware.org
mailing list for the binutils project.
PR22169, heap-based buffer overflow in read_1_byte
- From: Alan Modra <amodra at gmail dot com>
- To: binutils at sourceware dot org
- Date: Sun, 24 Sep 2017 16:15:39 +0930
- Subject: PR22169, heap-based buffer overflow in read_1_byte
- Authentication-results: sourceware.org; auth=none
The .debug_line header length field doesn't include the length field
itself, ie. it's the size of the rest of .debug_line.
PR 22169
* dwarf2.c (decode_line_info): Correct .debug_line unit_length check.
diff --git a/bfd/dwarf2.c b/bfd/dwarf2.c
index d1cf1aa..89a3f9b 100644
--- a/bfd/dwarf2.c
+++ b/bfd/dwarf2.c
@@ -2096,12 +2096,13 @@ decode_line_info (struct comp_unit *unit, struct dwarf2_debug *stash)
offset_size = 8;
}
- if (unit->line_offset + lh.total_length > stash->dwarf_line_size)
+ if (lh.total_length > (size_t) (line_end - line_ptr))
{
_bfd_error_handler
/* xgettext: c-format */
- (_("Dwarf Error: Line info data is bigger (%#Lx) than the space remaining in the section (%#Lx)"),
- lh.total_length, stash->dwarf_line_size - unit->line_offset);
+ (_("Dwarf Error: Line info data is bigger (%#Lx)"
+ " than the space remaining in the section (%#lx)"),
+ lh.total_length, (unsigned long) (line_end - line_ptr));
bfd_set_error (bfd_error_bad_value);
return NULL;
}
--
Alan Modra
Australia Development Lab, IBM