From 34d63622f677b577b927debb1d6fd2bfef4422bd Mon Sep 17 00:00:00 2001 From: Alan Modra Date: Tue, 18 Apr 2023 10:20:08 +0930 Subject: [PATCH] objdump buffer overflow in fetch_indexed_string PR 30361 * dwarf.c (fetch_indexed_string): Sanity check string index. --- binutils/dwarf.c | 20 +++++++------------- 1 file changed, 7 insertions(+), 13 deletions(-) diff --git a/binutils/dwarf.c b/binutils/dwarf.c index 87ce1541d1c..86893c59dc7 100644 --- a/binutils/dwarf.c +++ b/binutils/dwarf.c @@ -659,14 +659,13 @@ fetch_indexed_string (uint64_t idx, return (dwo ? _("") : _("")); - index_offset = idx * offset_size; - - if (this_set != NULL) - index_offset += this_set->section_offsets [DW_SECT_STR_OFFSETS]; - - index_offset += str_offsets_base; - - if (index_offset + offset_size > index_section->size) + if (_mul_overflow (idx, offset_size, &index_offset) + || (this_set != NULL + && ((index_offset += this_set->section_offsets [DW_SECT_STR_OFFSETS]) + < this_set->section_offsets [DW_SECT_STR_OFFSETS])) + || (index_offset += str_offsets_base) < str_offsets_base + || index_offset + offset_size < offset_size + || index_offset + offset_size > index_section->size) { warn (_("string index of %" PRIu64 " converts to an offset of %#" PRIx64 " which is too big for section %s"), @@ -675,11 +674,6 @@ fetch_indexed_string (uint64_t idx, return _(""); } - /* FIXME: If we are being paranoid then we should also check to see if - IDX references an entry beyond the end of the string table pointed to - by STR_OFFSETS_BASE. (Since there can be more than one string table - in a DWARF string section). */ - str_offset = byte_get (index_section->start + index_offset, offset_size); str_offset -= str_section->address; -- 2.30.2