projects / binutils-gdb.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 951eaae)
Fixes for memory access violations triggered by running readelf on fuzzed binaries.
authorNick Clifton <nickc@redhat.com>
Fri, 13 Feb 2015 14:17:18 +0000 (14:17 +0000)
committerNick Clifton <nickc@redhat.com>
Fri, 13 Feb 2015 14:17:18 +0000 (14:17 +0000)
PR binutils/17531
* dwarf.c (display_debug_aranges): Add check for an excessive
ar_length value.
(process_cu_tu_index): Check for a row * columns sum being too
large.

binutils/ChangeLog patch | blob | history
binutils/dwarf.c patch | blob | history

diff --git a/binutils/ChangeLog b/binutils/ChangeLog
index 4325f3aeb95aaa6790082a9755dc6136fc1237b5..4f45265aba267e9f39bcb46eadeb0f09f00d603b 100644 (file)
--- a/binutils/ChangeLog
+++ b/binutils/ChangeLog
@@ -8,6 +8,12 @@
        available before parsing.
        (prescan): Likewise.
 
+       PR binutils/17531
+       * dwarf.c (display_debug_aranges): Add check for an excessive
+       ar_length value.
+       (process_cu_tu_index): Check for a row * columns sum being too
+       large.
+
 2015-02-13  Alan Modra  <amodra@gmail.com>
 
        * dwarf.c: Formatting, whitespace.
diff --git a/binutils/dwarf.c b/binutils/dwarf.c
index 936f63438e4165c97b201a4f082f879b3498a2cb..272b41f9289e855d6319b6cabba0afb8e047cff6 100644 (file)
--- a/binutils/dwarf.c
+++ b/binutils/dwarf.c
@@ -4923,7 +4923,13 @@ display_debug_aranges (struct dwarf_section *section,
       if (excess)
        addr_ranges += (2 * address_size) - excess;
 
-      start += arange.ar_length + initial_length_size;
+      hdrptr = start + arange.ar_length + initial_length_size;
+      if (hdrptr < start || hdrptr > end)
+       {
+         error (_("Excessive header length: %lx\n"), (long) arange.ar_length);
+         break;
+       }
+      start = hdrptr;
 
       while (addr_ranges + 2 * address_size <= start)
        {
@@ -7084,7 +7090,14 @@ process_cu_tu_index (struct dwarf_section *section, int do_display)
                memcpy (&this_set[row - 1].signature, ph, sizeof (uint64_t));
 
              prow = poffsets + (row - 1) * ncols * 4;
-
+             /* PR 17531: file: b8ce60a8.  */
+             if (prow < poffsets || prow > limit)
+               {
+                 warn (_("Row index (%u) * num columns (%u) > space remaining in section\n"),
+                       row, ncols);
+                 return 0;
+               }
              if (do_display)
                printf (_("  [%3d] 0x%s"),
                        i, dwarf_vmatoa64 (signature_high, signature_low,