PR22239 - invalid memory read in display_debug_frames

Pointer comparisons have traps for the unwary. After adding a large unknown value to "start", the test "start < end" depends on where "start" is originally in memory. PR 22239 * dwarf.c (read_cie): Don't compare "start" and "end" pointers after adding a possibly wild length to "start", compare the length to the difference of the pointers instead. Remove now redundant "negative" length test.
2017-10-05 17:32:18 +10:30
parent c91933e9e3
commit 9c0f3d3f20
2 changed files with 12 additions and 11 deletions
--- a/binutils/dwarf.c
+++ b/binutils/dwarf.c
@@ -7001,14 +7001,14 @@ read_cie (unsigned char *start, unsigned char *end,
    {
      READ_ULEB (augmentation_data_len);
      augmentation_data = start;
-      start += augmentation_data_len;
      /* PR 17512: file: 11042-2589-0.004.  */
-      if (start > end)
+      if (augmentation_data_len > (size_t) (end - start))
 	{
 	  warn (_("Augmentation data too long: %#lx, expected at most %#lx\n"),
-		augmentation_data_len, (long)((end - start) + augmentation_data_len));
+		augmentation_data_len, (unsigned long) (end - start));
 	  return end;
 	}
+      start += augmentation_data_len;
    }

  if (augmentation_data_len)
@@ -7021,14 +7021,7 @@ read_cie (unsigned char *start, unsigned char *end,
      q = augmentation_data;
      qend = q + augmentation_data_len;

-      /* PR 17531: file: 015adfaa.  */
-      if (qend < q)
-	{
-	  warn (_("Negative augmentation data length: 0x%lx"), augmentation_data_len);
-	  augmentation_data_len = 0;
-	}
-
-      while (p < end && q < augmentation_data + augmentation_data_len)
+      while (p < end && q < qend)
 	{
 	  if (*p == 'L')
 	    q++;