This is the mail archive of the elfutils-devel@sourceware.org mailing list for the elfutils project.

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]
Other format:	[Raw text]

[PATCH] libdw: dwarf_getaranges check there is enough data before reading.

From: Mark Wielaard <mjw at redhat dot com>
To: elfutils-devel at lists dot fedorahosted dot org
Date: Tue, 05 May 2015 10:17:46 +0200
Subject: [PATCH] libdw: dwarf_getaranges check there is enough data before reading.

https://bugzilla.redhat.com/show_bug.cgi?id=1170810#c30

Signed-off-by: Mark Wielaard <mjw@redhat.com>
---
 libdw/ChangeLog          |  5 +++++
 libdw/dwarf_getaranges.c | 14 +++++++++++++-
 2 files changed, 18 insertions(+), 1 deletion(-)

diff --git a/libdw/ChangeLog b/libdw/ChangeLog
index fd3e4ad..f5dfc8f 100644
--- a/libdw/ChangeLog
+++ b/libdw/ChangeLog
@@ -1,3 +1,8 @@
+2015-05-05  Mark Wielaard  <mjw@redhat.com>
+
+	* dwarf_getaranges.c (dwarf_getaranges): Check there is enough data
+	left before reading values.
+
 2015-05-04  Anthony G. Basile  <blueness@gentoo.org>
 
 	* Makefile.am (libdw_so_SOURCES): Append $(argp_LDADD) to link
diff --git a/libdw/dwarf_getaranges.c b/libdw/dwarf_getaranges.c
index 4953af5..c03e946 100644
--- a/libdw/dwarf_getaranges.c
+++ b/libdw/dwarf_getaranges.c
@@ -110,10 +110,16 @@ dwarf_getaranges (dbg, aranges, naranges)
 
 	 5. A 1-byte unsigned integer containing the size in bytes of
 	 a segment descriptor on the target system.  */
+      if (readp + 4 > readendp)
+	goto invalid;
+
       Dwarf_Word length = read_4ubyte_unaligned_inc (dbg, readp);
       unsigned int length_bytes = 4;
       if (length == DWARF3_LENGTH_64_BIT)
 	{
+	  if (readp + 8 > readendp)
+	    goto invalid;
+
 	  length = read_8ubyte_unaligned_inc (dbg, readp);
 	  length_bytes = 8;
 	}
@@ -121,6 +127,9 @@ dwarf_getaranges (dbg, aranges, naranges)
 			 && length <= DWARF3_LENGTH_MAX_ESCAPE_CODE))
 	goto invalid;
 
+      if (readp + 2 > readendp)
+	goto invalid;
+
       unsigned int version = read_2ubyte_unaligned_inc (dbg, readp);
       if (version != 2)
 	{
@@ -136,7 +145,7 @@ dwarf_getaranges (dbg, aranges, naranges)
 	  return -1;
 	}
 
-      Dwarf_Word offset;
+      Dwarf_Word offset = 0;
       if (__libdw_read_offset_inc (dbg,
 				   IDX_debug_aranges, &readp,
 				   length_bytes, &offset, IDX_debug_info, 4))
@@ -164,6 +173,9 @@ dwarf_getaranges (dbg, aranges, naranges)
 					address_size, &range_address))
 	    goto fail;
 
+	  if (readp + address_size > readendp)
+	    goto invalid;
+
 	  if (address_size == 4)
 	    range_length = read_4ubyte_unaligned_inc (dbg, readp);
 	  else
-- 
2.1.0

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]