From 03a91817f163986f10cb843f58e2f2cd9186e4f0 Mon Sep 17 00:00:00 2001 From: Nick Clifton Date: Tue, 10 Feb 2015 17:13:31 +0000 Subject: [PATCH] Fixes for memory access violations triggered by running readelf on fuzzed binaries. PR binutils/17531 * dwarf.c (process_debug_info): Zero the debug information array since correct initialisation cannot be relied upon. (process_cu_tu_index): Improve range checks. --- binutils/ChangeLog | 5 +++++ binutils/dwarf.c | 11 +++++++++-- 2 files changed, 14 insertions(+), 2 deletions(-) diff --git a/binutils/ChangeLog b/binutils/ChangeLog index 93cab7300cd..4befee323ac 100644 --- a/binutils/ChangeLog +++ b/binutils/ChangeLog @@ -17,6 +17,11 @@ li_prologue_length. (eh_addr_size): Update prototype. + PR binutils/17531 + * dwarf.c (process_debug_info): Zero the debug information array + since correct initialisation cannot be relied upon. + (process_cu_tu_index): Improve range checks. + 2015-02-09 Mark Wielaard * dwarf.c (read_and_display_attr_value): Handle DW_LANG_Fortran03 diff --git a/binutils/dwarf.c b/binutils/dwarf.c index 9daf31579a5..426dca58a5e 100644 --- a/binutils/dwarf.c +++ b/binutils/dwarf.c @@ -2304,6 +2304,13 @@ process_debug_info (struct dwarf_section *section, alloc_num_debug_info_entries = num_debug_info_entries = 0; return 0; } + /* PR 17531: file: 92ca3797. + We cannot rely upon the debug_information array being initialised + before it is used. A corrupt file could easily contain references + to a unit for which information has not been made available. So + we ensure that the array is zeroed here. */ + memset (debug_information, 0, num_units * sizeof * debug_information); + alloc_num_debug_info_entries = num_units; } @@ -6913,7 +6920,7 @@ process_cu_tu_index (struct dwarf_section *section, int do_display) ppool = pindex + nslots * 4; /* PR 17531: file: 45d69832. */ - if (pindex < phash || ppool < phdr) + if (pindex < phash || ppool < phdr || (pindex == phash && nslots != 0)) { warn (_("Section %s is too small for %d slots\n"), section->name, nslots); @@ -6930,7 +6937,7 @@ process_cu_tu_index (struct dwarf_section *section, int do_display) printf (_(" Number of slots: %d\n\n"), nslots); } - if (ppool > limit) + if (ppool > limit || ppool < phdr) { warn (_("Section %s too small for %d hash table entries\n"), section->name, nslots); -- 2.30.2