This is the mail archive of the mailing list for the elfutils project.

Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]
Other format: [Raw text]

[Patch] derelocate.c find_section must check next section exists


While playing with valgrind I saw this:

==28430== Invalid read of size 8
==28430==    at 0x4E48AC5: find_section (derelocate.c:321)
==28430==    by 0x4E48D58: dwfl_module_address_section (derelocate.c:366)
==28430==    by 0x400B06: main (dwfl-addr-sect.c:38)
==28430==  Address 0x62a9a48 is not stack'd, malloc'd or (recently) free'd

Valgrind is right, there is an off-by-one check failure that can mean we
access beyond the end of an array. The following fixes it:

2012-09-25  Mark Wielaard  <>

    * derelocate.c (find_section): Check next section exists before
    accessing it.


diff --git a/libdwfl/derelocate.c b/libdwfl/derelocate.c
index e3fcba8..56f998c 100644
--- a/libdwfl/derelocate.c
+++ b/libdwfl/derelocate.c
@@ -317,7 +317,7 @@ find_section (Dwfl_Module *mod, Dwarf_Addr *addr)
 	     inside the next one.  A section limit address can appear in
 	     line records.  */
 	  if (*addr == sections->refs[idx].end
-	      && idx < sections->count
+	      && idx + 1 < sections->count
 	      && *addr == sections->refs[idx + 1].start)

Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]