From 6aea08d9f3e3d6475a65454da488a0c51f5dc97d Mon Sep 17 00:00:00 2001 From: Nick Clifton Date: Tue, 17 Apr 2018 12:35:55 +0100 Subject: [PATCH] Fix illegal memory access when parsing corrupt DWARF information. PR 23064 * dwarf.c (process_cu_tu_index): Test for a potential buffer overrun before copying signature pointer. --- binutils/ChangeLog | 6 ++++++ binutils/dwarf.c | 13 ++++++++++++- 2 files changed, 18 insertions(+), 1 deletion(-) diff --git a/binutils/ChangeLog b/binutils/ChangeLog index 1b63c7d0184..5219cb129e9 100644 --- a/binutils/ChangeLog +++ b/binutils/ChangeLog @@ -1,3 +1,9 @@ +2018-04-17 Nick Clifton + + PR 23064 + * dwarf.c (process_cu_tu_index): Test for a potential buffer + overrun before copying signature pointer. + 2018-04-17 Alan Modra * readelf.c: Revert 2018-04-16 and 2018-04-11 changes. diff --git a/binutils/dwarf.c b/binutils/dwarf.c index 10b4e284ce3..f94f5b2fe69 100644 --- a/binutils/dwarf.c +++ b/binutils/dwarf.c @@ -9287,7 +9287,18 @@ process_cu_tu_index (struct dwarf_section *section, int do_display) } if (!do_display) - memcpy (&this_set[row - 1].signature, ph, sizeof (uint64_t)); + { + size_t num_copy = sizeof (uint64_t); + + /* PR 23064: Beware of buffer overflow. */ + if (ph + num_copy < limit) + memcpy (&this_set[row - 1].signature, ph, num_copy); + else + { + warn (_("Signature (%p) extends beyond end of space in section\n"), ph); + return 0; + } + } prow = poffsets + (row - 1) * ncols * 4; /* PR 17531: file: b8ce60a8. */ -- 2.30.2