Skip to content

Commit

Permalink
Fix potential illegal memory accesses when parsing corrupt DWARF data.
Browse files Browse the repository at this point in the history
	PR 29914
	* dwarf.c (fetch_indexed_value): Fail if the section is not big
	enough to contain a header size field.
	(display_debug_addr): Fail if the computed address size is too big
	or too small.
  • Loading branch information
nickclifton committed Dec 19, 2022
1 parent d14b3ea commit 42f39fd
Show file tree
Hide file tree
Showing 2 changed files with 22 additions and 0 deletions.
8 changes: 8 additions & 0 deletions binutils/ChangeLog
Original file line number Diff line number Diff line change
@@ -1,3 +1,11 @@
2022-12-19 Nick Clifton <nickc@redhat.com>

PR 29914
* dwarf.c (fetch_indexed_value): Fail if the section is not big
enough to contain a header size field.
(display_debug_addr): Fail if the computed address size is too big
or too small.

2022-12-16 Nick Clifton <nickc@redhat.com>

PR 29908
Expand Down
14 changes: 14 additions & 0 deletions binutils/dwarf.c
Original file line number Diff line number Diff line change
Expand Up @@ -739,6 +739,13 @@ fetch_indexed_value (uint64_t idx,
return -1;
}

if (section->size < 4)
{
warn (_("Section %s is too small to contain an value indexed from another section!\n"),
section->name);
return -1;
}

uint32_t pointer_size, bias;

if (byte_get (section->start, 4) == 0xffffffff)
Expand Down Expand Up @@ -7770,6 +7777,13 @@ display_debug_addr (struct dwarf_section *section,
header = end;
idx = 0;

if (address_size < 1 || address_size > sizeof (uint64_t))
{
warn (_("Corrupt %s section: address size (%x) is wrong"),
section->name, address_size);
return 0;
}

while ((size_t) (end - entry) >= address_size)
{
uint64_t base = byte_get (entry, address_size);
Expand Down

0 comments on commit 42f39fd

Please sign in to comment.