Toolchain/binutils-gdb
1
0
Fork 0
forked from Imagelibrary/binutils-gdb
Code Pull Requests Activity

Fix potential integer overflow when reading corrupt dwarf1 debug information.

Browse Source 
PR 22894
	* dwarf1.c (parse_die): Check the length of form blocks before
	advancing the data pointer.
This commit is contained in:
Nick Clifton
2018-02-28 10:13:54 +00:00
parent 0d329c0a83
commit eef104664e
2 changed files with 21 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

17
bfd/dwarf1.c
View File

@@ -213,6 +213,7 @@ parse_die (bfd * abfd,
/* Then the attributes. */
while (xptr + 2 <= aDiePtrEnd)
{
unsigned int block_len;
unsigned short attr;
/* Parse the attribute based on its form. This section
@@ -255,12 +256,24 @@ parse_die (bfd * abfd,
break;
case FORM_BLOCK2:
if (xptr + 2 <= aDiePtrEnd)
xptr += bfd_get_16 (abfd, xptr);
{
block_len = bfd_get_16 (abfd, xptr);
if (xptr + block_len > aDiePtrEnd
|| xptr + block_len < xptr)
return FALSE;
xptr += block_len;
}
xptr += 2;
break;
case FORM_BLOCK4:
if (xptr + 4 <= aDiePtrEnd)
xptr += bfd_get_32 (abfd, xptr);
{
block_len = bfd_get_32 (abfd, xptr);
if (xptr + block_len > aDiePtrEnd
|| xptr + block_len < xptr)
return FALSE;
xptr += block_len;
}
xptr += 4;
break;
case FORM_STRING: