PR25070, SEGV in function _bfd_dwarf2_find_nearest_line

Evil testcase with two debug info sections, with sizes of 2aaaabac4ec1
and ffffd5555453b140 result in a total size of 1.  Reading the first
section of course overflows the buffer and tramples on other memory.

	PR 25070
	* dwarf2.c (_bfd_dwarf2_slurp_debug_info): Catch overflow of
	total_size calculation.

diff --git a/bfd/ChangeLog b/bfd/ChangeLog
index cf5b372860359e1ef9f7ecd262c00b86db94c17d..87a6244bca537b5740f5b82a544f03825eaa1115 100644 (file)
--- a/bfd/ChangeLog
+++ b/bfd/ChangeLog
@@ -1,3 +1,9 @@
+2019-10-09  Alan Modra  <amodra@gmail.com>
+
+       PR 25070
+       * dwarf2.c (_bfd_dwarf2_slurp_debug_info): Catch overflow of
+       total_size calculation.
+
 2019-10-08  Alan Modra  <amodra@gmail.com>
 
        PR 25078

diff --git a/bfd/dwarf2.c b/bfd/dwarf2.c
index d39f4fdfe4b8bc3d3e9bbbd691c59b6abb6a3255..88aaa2d23c22c65dd56cc94121a55216f23288cb 100644 (file)
--- a/bfd/dwarf2.c
+++ b/bfd/dwarf2.c
@@ -4439,7 +4439,16 @@ _bfd_dwarf2_slurp_debug_info (bfd *abfd, bfd *debug_bfd,
       for (total_size = 0;
           msec;
           msec = find_debug_info (debug_bfd, debug_sections, msec))
-       total_size += msec->size;
+       {
+         /* Catch PR25070 testcase overflowing size calculation here.  */
+         if (total_size + msec->size < total_size
+             || total_size + msec->size < msec->size)
+           {
+             bfd_set_error (bfd_error_no_memory);
+             return FALSE;
+           }
+         total_size += msec->size;
+       }
 
       stash->info_ptr_memory = (bfd_byte *) bfd_malloc (total_size);
       if (stash->info_ptr_memory == NULL)