PR24898, An out-of-bounds read occured in display_data
Alan Modra
amodra@gmail.com
Mon Aug 19 11:08:00 GMT 2019
Given 32-bit pointers and a 64-bit bfd_size_type, it is relatively
easy to construct a value of augmentation_data_len (eg. 0x100000000)
that won't fail pointer checks but will print without bounds.
PR 24898
* dwarf.c (display_debug_frames): Use the read_cie check and error
for augmentation data length.
diff --git a/binutils/dwarf.c b/binutils/dwarf.c
index b4738ebb8d..e792a17018 100644
--- a/binutils/dwarf.c
+++ b/binutils/dwarf.c
@@ -7822,18 +7822,18 @@ display_debug_frames (struct dwarf_section *section,
{
READ_ULEB (augmentation_data_len);
augmentation_data = start;
- start += augmentation_data_len;
/* PR 17512 file: 722-8446-0.004 and PR 22386. */
- if (start >= end
- || ((bfd_signed_vma) augmentation_data_len) < 0
- || augmentation_data > start)
+ if (augmentation_data_len > (bfd_size_type) (end - start))
{
- warn (_("Corrupt augmentation data length: 0x%s\n"),
- dwarf_vmatoa ("x", augmentation_data_len));
+ warn (_("Augmentation data too long: 0x%s, "
+ "expected at most %#lx\n"),
+ dwarf_vmatoa ("x", augmentation_data_len),
+ (unsigned long) (end - start));
start = end;
augmentation_data = NULL;
augmentation_data_len = 0;
}
+ start += augmentation_data_len;
}
printf ("\n%08lx %s %s FDE cie=%08lx pc=",
--
Alan Modra
Australia Development Lab, IBM
More information about the Binutils
mailing list