PR27836, readelf -w pointer comparison UB

	PR 27836
	* dwarf.c (display_debug_frames): Don't compare pointers derived
	from user input.  Test offset against bounds instead.

diff --git a/binutils/ChangeLog b/binutils/ChangeLog
index be50b3142abda1272769bfbe6c9d69855450b4b1..aef73a5a7b9ae60f43a25f72f62709469c4fb509 100644 (file)
--- a/binutils/ChangeLog
+++ b/binutils/ChangeLog
@@ -1,3 +1,9 @@
+2021-05-12  Alan Modra  <amodra@gmail.com>
+
+       PR 27836
+       * dwarf.c (display_debug_frames): Don't compare pointers derived
+       from user input.  Test offset against bounds instead.
+
 2021-05-12  Alan Modra  <amodra@gmail.com>
 
        PR 27853

diff --git a/binutils/dwarf.c b/binutils/dwarf.c
index 896035ccde2aeee46530dbefaf829310ad82f2a8..51c0afc275e44eb4987b3734c1ba35ec911a3182 100644 (file)
--- a/binutils/dwarf.c
+++ b/binutils/dwarf.c
@@ -8810,16 +8810,18 @@ display_debug_frames (struct dwarf_section *section,
        {
          unsigned char *look_for;
          unsigned long segment_selector;
+         dwarf_vma cie_off;
 
+         cie_off = cie_id;
          if (is_eh)
            {
              dwarf_vma sign = (dwarf_vma) 1 << (offset_size * 8 - 1);
-             look_for = start - 4 - ((cie_id ^ sign) - sign);
+             cie_off = (cie_off ^ sign) - sign;
+             cie_off = start - 4 - section_start - cie_off;
            }
-         else
-           look_for = section_start + cie_id;
 
-         if (look_for <= saved_start)
+         look_for = section_start + cie_off;
+         if (cie_off <= (dwarf_vma) (saved_start - section_start))
            {
              for (cie = chunks; cie ; cie = cie->next)
                if (cie->chunk_start == look_for)