From 8f461a883bab76c9075ebb1083c9a23af24c201b Mon Sep 17 00:00:00 2001 From: Ian Lance Taylor Date: Wed, 2 Dec 2020 11:06:40 -0800 Subject: [PATCH] libbacktrace: correct buffer overflow tests * dwarf.c (resolve_string): Use > rather than >= to check whether string index extends past buffer. (resolve_addr_index): Similarly for address index. --- libbacktrace/dwarf.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libbacktrace/dwarf.c b/libbacktrace/dwarf.c index 582f34bc816..0c913c95983 100644 --- a/libbacktrace/dwarf.c +++ b/libbacktrace/dwarf.c @@ -1053,7 +1053,7 @@ resolve_string (const struct dwarf_sections *dwarf_sections, int is_dwarf64, offset = val->u.uint * (is_dwarf64 ? 8 : 4) + str_offsets_base; if (offset + (is_dwarf64 ? 8 : 4) - >= dwarf_sections->size[DEBUG_STR_OFFSETS]) + > dwarf_sections->size[DEBUG_STR_OFFSETS]) { error_callback (data, "DW_FORM_strx value out of range", 0); return 0; @@ -1097,7 +1097,7 @@ resolve_addr_index (const struct dwarf_sections *dwarf_sections, struct dwarf_buf addr_buf; offset = addr_index * addrsize + addr_base; - if (offset + addrsize >= dwarf_sections->size[DEBUG_ADDR]) + if (offset + addrsize > dwarf_sections->size[DEBUG_ADDR]) { error_callback (data, "DW_FORM_addrx value out of range", 0); return 0; -- 2.30.2