From: Alan Modra <amodra@gmail.com>
Date: Tue, 18 Apr 2023 00:50:08 +0000 (+0930)
Subject: objdump buffer overflow in fetch_indexed_string
X-Git-Url: https://git.libre-soc.org/?a=commitdiff_plain;h=34d63622f677b577b927debb1d6fd2bfef4422bd;p=binutils-gdb.git

objdump buffer overflow in fetch_indexed_string

	PR 30361
	* dwarf.c (fetch_indexed_string): Sanity check string index.
---

diff --git a/binutils/dwarf.c b/binutils/dwarf.c
index 87ce1541d1c..86893c59dc7 100644
--- a/binutils/dwarf.c
+++ b/binutils/dwarf.c
@@ -659,14 +659,13 @@ fetch_indexed_string (uint64_t idx,
     return (dwo ? _("<no .debug_str.dwo section>")
 		: _("<no .debug_str section>"));
 
-  index_offset = idx * offset_size;
-
-  if (this_set != NULL)
-    index_offset += this_set->section_offsets [DW_SECT_STR_OFFSETS];
-
-  index_offset += str_offsets_base;
-
-  if (index_offset + offset_size > index_section->size)
+  if (_mul_overflow (idx, offset_size, &index_offset)
+      || (this_set != NULL
+	  && ((index_offset += this_set->section_offsets [DW_SECT_STR_OFFSETS])
+	      < this_set->section_offsets [DW_SECT_STR_OFFSETS]))
+      || (index_offset += str_offsets_base) < str_offsets_base
+      || index_offset + offset_size < offset_size
+      || index_offset + offset_size > index_section->size)
     {
       warn (_("string index of %" PRIu64 " converts to an offset of %#" PRIx64
 	      " which is too big for section %s"),
@@ -675,11 +674,6 @@ fetch_indexed_string (uint64_t idx,
       return _("<string index too big>");
     }
 
-  /* FIXME: If we are being paranoid then we should also check to see if
-     IDX references an entry beyond the end of the string table pointed to
-     by STR_OFFSETS_BASE.  (Since there can be more than one string table
-     in a DWARF string section).  */
-
   str_offset = byte_get (index_section->start + index_offset, offset_size);
 
   str_offset -= str_section->address;