Fix a stack exhaustion bug parsing malicious STABS format debug information.

	PR 28718
	* debug.c (debug_write_type): Allow for malicious recursion via
	indirect debug types.

diff --git a/binutils/ChangeLog b/binutils/ChangeLog
index 3953e4e3e61c3aee63af32f3bbd5fdff3f48fdf1..0b34eadcdc3cb3a5f66e41dbb5a7a461fc2b7c22 100644 (file)
--- a/binutils/ChangeLog
+++ b/binutils/ChangeLog
@@ -1,3 +1,9 @@
+2022-01-06  Nick Clifton  <nickc@redhat.com>
+
+       PR 28718
+       * debug.c (debug_write_type): Allow for malicious recursion via
+       indirect debug types.
+
 2022-01-04  Nick Clifton  <nickc@redhat.com>
 
        PR 28716

diff --git a/binutils/debug.c b/binutils/debug.c
index 64a0ad217aff9f5a02b60226b257cfdcc05f2b1a..5866365247a5bec12c6dea8ee7703303adf132fe 100644 (file)
--- a/binutils/debug.c
+++ b/binutils/debug.c
@@ -2484,8 +2484,22 @@ debug_write_type (struct debug_handle *info,
       debug_error (_("debug_write_type: illegal type encountered"));
       return false;
     case DEBUG_KIND_INDIRECT:
-      return debug_write_type (info, fns, fhandle, *type->u.kindirect->slot,
-                              name);
+      /* PR 28718: Allow for malicious recursion.  */
+      {
+       static int recursion_depth = 0;
+       bool result;
+
+       if (recursion_depth > 256)
+         {
+           debug_error (_("debug_write_type: too many levels of nested indirection"));
+           return false;
+         }
+       ++ recursion_depth;
+       result = debug_write_type (info, fns, fhandle, *type->u.kindirect->slot,
+                                 name);
+       -- recursion_depth;
+       return result;
+      }
     case DEBUG_KIND_VOID:
       return (*fns->void_type) (fhandle);
     case DEBUG_KIND_INT: