From c4375dd764b2e28b585048c55014d4d8fbe2e820 Mon Sep 17 00:00:00 2001 From: Nick Clifton Date: Thu, 13 May 2021 14:31:09 +0100 Subject: [PATCH] Fix an infinite loop in the DWARF decoder when parsing a corrupt string table. PR 27861 * dwarf.c (display_debug_str_offsets): Warn if the length field is larger than the amount of data remaining in the section. --- binutils/ChangeLog | 6 ++++++ binutils/dwarf.c | 9 ++++++++- 2 files changed, 14 insertions(+), 1 deletion(-) diff --git a/binutils/ChangeLog b/binutils/ChangeLog index 85d21ebfa6b..42efebf54e2 100644 --- a/binutils/ChangeLog +++ b/binutils/ChangeLog @@ -1,3 +1,9 @@ +2021-05-13 Nick Clifton + + PR 27861 + * dwarf.c (display_debug_str_offsets): Warn if the length field is + larger than the amount of data remaining in the section. + 2021-05-13 Alan Modra PR 27861 diff --git a/binutils/dwarf.c b/binutils/dwarf.c index b22d33c43dd..20ffe4b52cc 100644 --- a/binutils/dwarf.c +++ b/binutils/dwarf.c @@ -7509,6 +7509,13 @@ display_debug_str_offsets (struct dwarf_section *section, printf (_(" Length: %#lx\n"), (unsigned long) length); printf (_(" Version: %#lx\n"), (unsigned long) version); printf (_(" Index Offset [String]\n")); + + if (entries_end > end) + { + warn (_("Length value (0x%s) > data remaining in the section (0x%lx)\n"), + dwarf_vmatoa ("x", length), (long)(end - curr)); + entries_end = end; + } } for (idx = 0; curr < entries_end; idx++) @@ -7520,7 +7527,7 @@ display_debug_str_offsets (struct dwarf_section *section, /* Not enough space to read one entry_length, give up. */ return 0; - SAFE_BYTE_GET_AND_INC (offset, curr, entry_length, end); + SAFE_BYTE_GET_AND_INC (offset, curr, entry_length, entries_end); if (dwo) string = (const unsigned char *) fetch_indexed_string (idx, NULL, entry_length, dwo); -- 2.30.2