From 336bfbeb1848f4b9558456fdcf283ee8a32d7fd1 Mon Sep 17 00:00:00 2001 From: Alan Modra Date: Wed, 9 Oct 2019 10:47:13 +1030 Subject: [PATCH] PR25070, SEGV in function _bfd_dwarf2_find_nearest_line Evil testcase with two debug info sections, with sizes of 2aaaabac4ec1 and ffffd5555453b140 result in a total size of 1. Reading the first section of course overflows the buffer and tramples on other memory. PR 25070 * dwarf2.c (_bfd_dwarf2_slurp_debug_info): Catch overflow of total_size calculation. --- bfd/ChangeLog | 6 ++++++ bfd/dwarf2.c | 11 ++++++++++- 2 files changed, 16 insertions(+), 1 deletion(-) diff --git a/bfd/ChangeLog b/bfd/ChangeLog index cf5b3728603..87a6244bca5 100644 --- a/bfd/ChangeLog +++ b/bfd/ChangeLog @@ -1,3 +1,9 @@ +2019-10-09 Alan Modra + + PR 25070 + * dwarf2.c (_bfd_dwarf2_slurp_debug_info): Catch overflow of + total_size calculation. + 2019-10-08 Alan Modra PR 25078 diff --git a/bfd/dwarf2.c b/bfd/dwarf2.c index d39f4fdfe4b..88aaa2d23c2 100644 --- a/bfd/dwarf2.c +++ b/bfd/dwarf2.c @@ -4439,7 +4439,16 @@ _bfd_dwarf2_slurp_debug_info (bfd *abfd, bfd *debug_bfd, for (total_size = 0; msec; msec = find_debug_info (debug_bfd, debug_sections, msec)) - total_size += msec->size; + { + /* Catch PR25070 testcase overflowing size calculation here. */ + if (total_size + msec->size < total_size + || total_size + msec->size < msec->size) + { + bfd_set_error (bfd_error_no_memory); + return FALSE; + } + total_size += msec->size; + } stash->info_ptr_memory = (bfd_byte *) bfd_malloc (total_size); if (stash->info_ptr_memory == NULL) -- 2.30.2