Fix an infinite loop in the DWARF decoder when parsing a corrupt string table.

	PR 27861
	* dwarf.c (display_debug_str_offsets): Warn if the length field is
	larger than the amount of data remaining in the section.

diff --git a/binutils/ChangeLog b/binutils/ChangeLog
index 85d21ebfa6b2e5fb90100ac7475b021eedbb815d..42efebf54e2d2dc847ce63d48892fe1d0be782eb 100644 (file)
--- a/binutils/ChangeLog
+++ b/binutils/ChangeLog
@@ -1,3 +1,9 @@
+2021-05-13  Nick Clifton  <nickc@redhat.com>
+
+       PR 27861
+       * dwarf.c (display_debug_str_offsets): Warn if the length field is
+       larger than the amount of data remaining in the section.
+
 2021-05-13  Alan Modra  <amodra@gmail.com>
 
        PR 27861

diff --git a/binutils/dwarf.c b/binutils/dwarf.c
index b22d33c43dd3c4612bdb7f6a498ee7be56ff7407..20ffe4b52ccb0967ac8bb91292e4e3b75154d753 100644 (file)
--- a/binutils/dwarf.c
+++ b/binutils/dwarf.c
@@ -7509,6 +7509,13 @@ display_debug_str_offsets (struct dwarf_section *section,
          printf (_("    Length: %#lx\n"), (unsigned long) length);
          printf (_("    Version: %#lx\n"), (unsigned long) version);
          printf (_("       Index   Offset [String]\n"));
+
+         if (entries_end > end)
+           {
+             warn (_("Length value (0x%s) > data remaining in the section (0x%lx)\n"),
+                   dwarf_vmatoa ("x", length), (long)(end - curr));
+             entries_end = end;
+           }     
        }
 
       for (idx = 0; curr < entries_end; idx++)
@@ -7520,7 +7527,7 @@ display_debug_str_offsets (struct dwarf_section *section,
            /* Not enough space to read one entry_length, give up.  */
            return 0;
 
-         SAFE_BYTE_GET_AND_INC (offset, curr, entry_length, end);
+         SAFE_BYTE_GET_AND_INC (offset, curr, entry_length, entries_end);
          if (dwo)
            string = (const unsigned char *)
              fetch_indexed_string (idx, NULL, entry_length, dwo);