From 42f39fdedcf3321cab9964945d3f5bca58967b80 Mon Sep 17 00:00:00 2001 From: Nick Clifton Date: Mon, 19 Dec 2022 11:13:46 +0000 Subject: [PATCH] Fix potential illegal memory accesses when parsing corrupt DWARF data. PR 29914 * dwarf.c (fetch_indexed_value): Fail if the section is not big enough to contain a header size field. (display_debug_addr): Fail if the computed address size is too big or too small. --- binutils/ChangeLog | 8 ++++++++ binutils/dwarf.c | 14 ++++++++++++++ 2 files changed, 22 insertions(+) diff --git a/binutils/ChangeLog b/binutils/ChangeLog index 16bddf73c07..6bd121e82ae 100644 --- a/binutils/ChangeLog +++ b/binutils/ChangeLog @@ -1,3 +1,11 @@ +2022-12-19 Nick Clifton + + PR 29914 + * dwarf.c (fetch_indexed_value): Fail if the section is not big + enough to contain a header size field. + (display_debug_addr): Fail if the computed address size is too big + or too small. + 2022-12-16 Nick Clifton PR 29908 diff --git a/binutils/dwarf.c b/binutils/dwarf.c index 03b36afcec0..b792902c496 100644 --- a/binutils/dwarf.c +++ b/binutils/dwarf.c @@ -739,6 +739,13 @@ fetch_indexed_value (uint64_t idx, return -1; } + if (section->size < 4) + { + warn (_("Section %s is too small to contain an value indexed from another section!\n"), + section->name); + return -1; + } + uint32_t pointer_size, bias; if (byte_get (section->start, 4) == 0xffffffff) @@ -7770,6 +7777,13 @@ display_debug_addr (struct dwarf_section *section, header = end; idx = 0; + if (address_size < 1 || address_size > sizeof (uint64_t)) + { + warn (_("Corrupt %s section: address size (%x) is wrong"), + section->name, address_size); + return 0; + } + while ((size_t) (end - entry) >= address_size) { uint64_t base = byte_get (entry, address_size); -- 2.30.2