PR29893, buffer overflow in display_debug_addr

author Alan Modra <amodra@gmail.com>

Mon, 12 Dec 2022 13:57:11 +0000 (00:27 +1030)

committer Alan Modra <amodra@gmail.com>

Mon, 12 Dec 2022 14:06:08 +0000 (00:36 +1030)
author Alan Modra <amodra@gmail.com>
Mon, 12 Dec 2022 13:57:11 +0000 (00:27 +1030)
committer Alan Modra <amodra@gmail.com>
Mon, 12 Dec 2022 14:06:08 +0000 (00:36 +1030)
diff --git a/binutils/dwarf.c b/binutils/dwarf.c

index b3039151ff622892cb72603c4bdc41ca8cc13db7..c39c695863ac0c8e86227d156d48eaa9eeb66989 100644 (file)
--- a/binutils/dwarf.c
+++ b/binutils/dwarf.c
@@ -7731,8 +7731,13 @@ display_debug_addr (struct dwarf_section *section,
           SAFE_BYTE_GET_AND_INC (length, curr_header, 4, entry);
           if (length == 0xffffffff)
             SAFE_BYTE_GET_AND_INC (length, curr_header, 8, entry);
+         if (length > (size_t) (section->start + section->size - curr_header))
+           {
+             warn (_("Corrupt %s section: unit_length field of %#" PRIx64
+                     " too large\n"), section->name, length);
+             return 0;
+           }
           end = curr_header + length;
-
           SAFE_BYTE_GET_AND_INC (version, curr_header, 2, entry);
           if (version != 5)
             warn (_("Corrupt %s section: expecting version number 5 in header but found %d instead\n"),
@@ -7746,7 +7751,7 @@ display_debug_addr (struct dwarf_section *section,
         end = section->start + debug_addr_info [i + 1]->addr_base;
        header = end;
        idx = 0;
-      while (entry < end)
+      while ((size_t) (end - entry) >= address_size)
         {
           uint64_t base = byte_get (entry, address_size);
           printf (_("\t%d:\t"), idx);
author	Alan Modra <amodra@gmail.com>
	Mon, 12 Dec 2022 13:57:11 +0000 (00:27 +1030)
committer	Alan Modra <amodra@gmail.com>
	Mon, 12 Dec 2022 14:06:08 +0000 (00:36 +1030)