From: Nick Clifton <nickc@redhat.com>
Date: Thu, 6 Jan 2022 16:37:26 +0000 (+0000)
Subject: Fix a stack exhaustion bug parsing malicious STABS format debug information.
X-Git-Url: https://git.libre-soc.org/?a=commitdiff_plain;h=af4004d1da135610ab931e04a3ba2c9124defbd7;p=binutils-gdb.git

Fix a stack exhaustion bug parsing malicious STABS format debug information.

	PR 28718
	* debug.c (debug_write_type): Allow for malicious recursion via
	indirect debug types.
---

diff --git a/binutils/ChangeLog b/binutils/ChangeLog
index 3953e4e3e61..0b34eadcdc3 100644
--- a/binutils/ChangeLog
+++ b/binutils/ChangeLog
@@ -1,3 +1,9 @@
+2022-01-06  Nick Clifton  <nickc@redhat.com>
+
+	PR 28718
+	* debug.c (debug_write_type): Allow for malicious recursion via
+	indirect debug types.
+
 2022-01-04  Nick Clifton  <nickc@redhat.com>
 
 	PR 28716
diff --git a/binutils/debug.c b/binutils/debug.c
index 64a0ad217af..5866365247a 100644
--- a/binutils/debug.c
+++ b/binutils/debug.c
@@ -2484,8 +2484,22 @@ debug_write_type (struct debug_handle *info,
       debug_error (_("debug_write_type: illegal type encountered"));
       return false;
     case DEBUG_KIND_INDIRECT:
-      return debug_write_type (info, fns, fhandle, *type->u.kindirect->slot,
-			       name);
+      /* PR 28718: Allow for malicious recursion.  */
+      {
+	static int recursion_depth = 0;
+	bool result;
+
+	if (recursion_depth > 256)
+	  {
+	    debug_error (_("debug_write_type: too many levels of nested indirection"));
+	    return false;
+	  }
+	++ recursion_depth;
+	result = debug_write_type (info, fns, fhandle, *type->u.kindirect->slot,
+				  name);
+	-- recursion_depth;
+	return result;
+      }
     case DEBUG_KIND_VOID:
       return (*fns->void_type) (fhandle);
     case DEBUG_KIND_INT: