Fix an illegal memory access triggered by an attempt to parse a corrupt input file.

	PR 28046
	* dwarf2.c (read_ranges): Check that range_ptr does not exceed
	range_end.

diff --git a/bfd/ChangeLog b/bfd/ChangeLog
index abb9e09a849481f2e3e8fb71cb8a21a43821c526..1c4c176c9fa953ebf8001e3ed021da451f31f47d 100644 (file)
--- a/bfd/ChangeLog
+++ b/bfd/ChangeLog
@@ -1,3 +1,9 @@
+2021-07-02  Nick Clifton  <nickc@redhat.com>
+
+       PR 28046
+       * dwarf2.c (read_ranges): Check that range_ptr does not exceed
+       range_end.
+
 2021-06-30  YunQiang Su  <yunqiang.su@cipunited.com>
 
        PR mips/28009

diff --git a/bfd/dwarf2.c b/bfd/dwarf2.c
index 79fcd0618d862fa982da59ac4bc19d80bb2cd546..1247f952def003ef71a08b50c5557d272e683b07 100644 (file)
--- a/bfd/dwarf2.c
+++ b/bfd/dwarf2.c
@@ -909,7 +909,8 @@ read_address (struct comp_unit *unit, bfd_byte **ptr, bfd_byte *buf_end)
   if (bfd_get_flavour (unit->abfd) == bfd_target_elf_flavour)
     signed_vma = get_elf_backend_data (unit->abfd)->sign_extend_vma;
 
-  if (unit->addr_size > (size_t) (buf_end - buf))
+  if (unit->addr_size > (size_t) (buf_end - buf)
+      || (buf > buf_end))
     {
       *ptr = buf_end;
       return 0;
@@ -3097,6 +3098,8 @@ read_ranges (struct comp_unit *unit, struct arange *arange,
   if (ranges_ptr < unit->file->dwarf_ranges_buffer)
     return false;
   ranges_end = unit->file->dwarf_ranges_buffer + unit->file->dwarf_ranges_size;
+  if (ranges_ptr >= ranges_end)
+    return false;
 
   for (;;)
     {