Fix illegal memory access when parsing corrupt DWARF information.

	PR 23064
	* dwarf.c (process_cu_tu_index): Test for a potential buffer
	overrun before copying signature pointer.

diff --git a/binutils/ChangeLog b/binutils/ChangeLog
index 1b63c7d0184d962e0c98ff22abe8f049ec08b699..5219cb129e9edd0e7eda2f95023e406302c7ee34 100644 (file)
--- a/binutils/ChangeLog
+++ b/binutils/ChangeLog
@@ -1,3 +1,9 @@
+2018-04-17  Nick Clifton  <nickc@redhat.com>
+
+       PR 23064
+       * dwarf.c (process_cu_tu_index): Test for a potential buffer
+       overrun before copying signature pointer.
+
 2018-04-17  Alan Modra  <amodra@gmail.com>
 
        * readelf.c: Revert 2018-04-16 and 2018-04-11 changes.

diff --git a/binutils/dwarf.c b/binutils/dwarf.c
index 10b4e284ce3cafccd50499700bca84346af85e62..f94f5b2fe699941b2f31c803da422b4c9b071d39 100644 (file)
--- a/binutils/dwarf.c
+++ b/binutils/dwarf.c
@@ -9287,7 +9287,18 @@ process_cu_tu_index (struct dwarf_section *section, int do_display)
                }
 
              if (!do_display)
-               memcpy (&this_set[row - 1].signature, ph, sizeof (uint64_t));
+               {
+                 size_t num_copy = sizeof (uint64_t);
+
+                 /* PR 23064: Beware of buffer overflow.  */
+                 if (ph + num_copy < limit)
+                   memcpy (&this_set[row - 1].signature, ph, num_copy);
+                 else
+                   {
+                     warn (_("Signature (%p) extends beyond end of space in section\n"), ph);
+                     return 0;
+                   }
+               }
 
              prow = poffsets + (row - 1) * ncols * 4;
              /* PR 17531: file: b8ce60a8.  */