From 117e35f51972acd1f29fd249ef20343258ef5256 Mon Sep 17 00:00:00 2001 From: Nick Clifton Date: Thu, 2 Dec 2021 17:48:20 +0000 Subject: [PATCH] Fix illegal memory access whilst parsing corrupt DWARF debug information. PR 28645 * dwarf.c (process_cu_tu_index): Add test for overruning section whilst processing slots. --- binutils/ChangeLog | 6 ++++++ binutils/dwarf.c | 18 ++++++++++++++++-- 2 files changed, 22 insertions(+), 2 deletions(-) diff --git a/binutils/ChangeLog b/binutils/ChangeLog index c826243d299..215a3d5c2f0 100644 --- a/binutils/ChangeLog +++ b/binutils/ChangeLog @@ -1,3 +1,9 @@ +2021-12-02 Nick Clifton + + PR 28645 + * dwarf.c (process_cu_tu_index): Add test for overruning section + whilst processing slots. + 2021-11-30 Roland McGrath * doc/local.mk: Give each man page target its missing dependency on diff --git a/binutils/dwarf.c b/binutils/dwarf.c index 6f2a49b48c2..6497e541063 100644 --- a/binutils/dwarf.c +++ b/binutils/dwarf.c @@ -10465,7 +10465,7 @@ process_cu_tu_index (struct dwarf_section *section, int do_display) Check for integer overflow (can occur when size_t is 32-bit) with overlarge ncols or nused values. */ if (nused == -1u - || _mul_overflow ((size_t) ncols, 4, &temp) + || _mul_overflow ((size_t) ncols, 4, &temp) || _mul_overflow ((size_t) nused + 1, temp, &total) || total > (size_t) (limit - ppool)) { @@ -10473,7 +10473,7 @@ process_cu_tu_index (struct dwarf_section *section, int do_display) section->name); return 0; } - + if (do_display) { printf (_(" Offset table\n")); @@ -10596,7 +10596,21 @@ process_cu_tu_index (struct dwarf_section *section, int do_display) for (j = 0; j < ncols; j++) { unsigned char *p = prow + j * 4; + + /* PR 28645: Check for overflow. Since we do not know how + many populated rows there will be, we cannot just + perform a single check at the start of this function. */ + if (p > (limit - 4)) + { + if (do_display) + printf ("\n"); + warn (_("Too many rows/columns in DWARF index section %s\n"), + section->name); + return 0; + } + SAFE_BYTE_GET (val, p, 4, limit); + if (do_display) printf (" %8d", val); else -- 2.30.2