From: Nick Clifton <nickc@redhat.com>
Date: Tue, 17 Apr 2018 11:35:55 +0000 (+0100)
Subject: Fix illegal memory access when parsing corrupt DWARF information.
X-Git-Url: https://git.libre-soc.org/?a=commitdiff_plain;h=6aea08d9f3e3d6475a65454da488a0c51f5dc97d;p=binutils-gdb.git

Fix illegal memory access when parsing corrupt DWARF information.

	PR 23064
	* dwarf.c (process_cu_tu_index): Test for a potential buffer
	overrun before copying signature pointer.
---

diff --git a/binutils/ChangeLog b/binutils/ChangeLog
index 1b63c7d0184..5219cb129e9 100644
--- a/binutils/ChangeLog
+++ b/binutils/ChangeLog
@@ -1,3 +1,9 @@
+2018-04-17  Nick Clifton  <nickc@redhat.com>
+
+	PR 23064
+	* dwarf.c (process_cu_tu_index): Test for a potential buffer
+	overrun before copying signature pointer.
+
 2018-04-17  Alan Modra  <amodra@gmail.com>
 
 	* readelf.c: Revert 2018-04-16 and 2018-04-11 changes.
diff --git a/binutils/dwarf.c b/binutils/dwarf.c
index 10b4e284ce3..f94f5b2fe69 100644
--- a/binutils/dwarf.c
+++ b/binutils/dwarf.c
@@ -9287,7 +9287,18 @@ process_cu_tu_index (struct dwarf_section *section, int do_display)
 		}
 
 	      if (!do_display)
-		memcpy (&this_set[row - 1].signature, ph, sizeof (uint64_t));
+		{
+		  size_t num_copy = sizeof (uint64_t);
+
+		  /* PR 23064: Beware of buffer overflow.  */
+		  if (ph + num_copy < limit)
+		    memcpy (&this_set[row - 1].signature, ph, num_copy);
+		  else
+		    {
+		      warn (_("Signature (%p) extends beyond end of space in section\n"), ph);
+		      return 0;
+		    }
+		}
 
 	      prow = poffsets + (row - 1) * ncols * 4;
 	      /* PR 17531: file: b8ce60a8.  */