From 906799036a9bcc2b6f27fbcf894092bdc03f6da9 Mon Sep 17 00:00:00 2001 From: Alan Modra Date: Wed, 7 Aug 2019 11:50:28 +0930 Subject: [PATCH] PR24876, readelf: heap-buffer-overflow in dump_ia64_unwind PR 24876 * readelf.c (dump_ia64_unwind): Check that buffer is large enough for "stamp" before reading. --- binutils/ChangeLog | 6 ++++++ binutils/readelf.c | 3 ++- 2 files changed, 8 insertions(+), 1 deletion(-) diff --git a/binutils/ChangeLog b/binutils/ChangeLog index 411f835ef89..f60d5ffbb02 100644 --- a/binutils/ChangeLog +++ b/binutils/ChangeLog @@ -1,3 +1,9 @@ +2019-08-07 Alan Modra + + PR 24876 + * readelf.c (dump_ia64_unwind): Check that buffer is large + enough for "stamp" before reading. + 2019-08-05 Nick Clifton PR 24874 diff --git a/binutils/readelf.c b/binutils/readelf.c index e785fde43e7..5e18734f10b 100644 --- a/binutils/readelf.c +++ b/binutils/readelf.c @@ -7574,7 +7574,8 @@ dump_ia64_unwind (Filedata * filedata, struct ia64_unw_aux_info * aux) } offset -= aux->info_addr; /* PR 17531: file: 0997b4d1. */ - if (offset >= aux->info_size) + if (offset >= aux->info_size + || aux->info_size - offset < 8) { warn (_("Invalid offset %lx in table entry %ld\n"), (long) tp->info.offset, (long) (tp - aux->table)); -- 2.30.2