From 49910fd88dcd2ec3d0d9e56120ceb56a6a64b7b8 Mon Sep 17 00:00:00 2001 From: Nick Clifton Date: Fri, 2 Jul 2021 14:56:36 +0100 Subject: [PATCH] Fix an illegal memory access triggered by an attempt to parse a corrupt input file. PR 28046 * dwarf2.c (read_ranges): Check that range_ptr does not exceed range_end. --- bfd/ChangeLog | 6 ++++++ bfd/dwarf2.c | 5 ++++- 2 files changed, 10 insertions(+), 1 deletion(-) diff --git a/bfd/ChangeLog b/bfd/ChangeLog index abb9e09a849..1c4c176c9fa 100644 --- a/bfd/ChangeLog +++ b/bfd/ChangeLog @@ -1,3 +1,9 @@ +2021-07-02 Nick Clifton + + PR 28046 + * dwarf2.c (read_ranges): Check that range_ptr does not exceed + range_end. + 2021-06-30 YunQiang Su PR mips/28009 diff --git a/bfd/dwarf2.c b/bfd/dwarf2.c index 79fcd0618d8..1247f952def 100644 --- a/bfd/dwarf2.c +++ b/bfd/dwarf2.c @@ -909,7 +909,8 @@ read_address (struct comp_unit *unit, bfd_byte **ptr, bfd_byte *buf_end) if (bfd_get_flavour (unit->abfd) == bfd_target_elf_flavour) signed_vma = get_elf_backend_data (unit->abfd)->sign_extend_vma; - if (unit->addr_size > (size_t) (buf_end - buf)) + if (unit->addr_size > (size_t) (buf_end - buf) + || (buf > buf_end)) { *ptr = buf_end; return 0; @@ -3097,6 +3098,8 @@ read_ranges (struct comp_unit *unit, struct arange *arange, if (ranges_ptr < unit->file->dwarf_ranges_buffer) return false; ranges_end = unit->file->dwarf_ranges_buffer + unit->file->dwarf_ranges_size; + if (ranges_ptr >= ranges_end) + return false; for (;;) { -- 2.30.2