From 05f62e0c9a0b14e211c6b2b6234095b50794b20b Mon Sep 17 00:00:00 2001
From: Alan Modra <amodra@gmail.com>
Date: Thu, 16 Dec 2021 10:50:58 +1030
Subject: [PATCH] Re: Fix an undefined behaviour in the BFD library's DWARF
 parser

Using an unsigned int cast (to 32 bits) on a pointer difference (of
possibly 64 bits) is wrong.  Even though it will work on all real
object files, the fuzzers will eventually find this hole.

	PR 28687
	* dwarf1.c (parse_die): Cast pointer difference to size_t.
	Catch another possible pointer overflow.
---
 bfd/dwarf1.c | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/bfd/dwarf1.c b/bfd/dwarf1.c
index 9f4665501b4..6b95e57cae9 100644
--- a/bfd/dwarf1.c
+++ b/bfd/dwarf1.c
@@ -193,8 +193,8 @@ parse_die (bfd *	     abfd,
     return false;
   aDieInfo->length = bfd_get_32 (abfd, xptr);
   xptr += 4;
-  if (aDieInfo->length == 0
-      || this_die + aDieInfo->length > aDiePtrEnd)
+  if (aDieInfo->length <= 4
+      || (size_t) (aDiePtrEnd - this_die) < aDieInfo->length)
     return false;
   aDiePtrEnd = this_die + aDieInfo->length;
   if (aDieInfo->length < 6)
@@ -258,7 +258,7 @@ parse_die (bfd *	     abfd,
 	  if (xptr + 2 <= aDiePtrEnd)
 	    {
 	      block_len = bfd_get_16 (abfd, xptr);
-	      if ((unsigned int) (aDiePtrEnd - xptr) < block_len)
+	      if ((size_t) (aDiePtrEnd - xptr) < block_len)
 		return false;
 	      xptr += block_len;
 	    }
@@ -268,7 +268,7 @@ parse_die (bfd *	     abfd,
 	  if (xptr + 4 <= aDiePtrEnd)
 	    {
 	      block_len = bfd_get_32 (abfd, xptr);
-	      if ((unsigned int) (aDiePtrEnd - xptr) < block_len)
+	      if ((size_t) (aDiePtrEnd - xptr) < block_len)
 		return false;
 	      xptr += block_len;
 	    }
-- 
2.30.2