From c8628c770bc9055cfd42cfc2e3c416495653f5f8 Mon Sep 17 00:00:00 2001
From: Alan Modra <amodra@gmail.com>
Date: Tue, 13 Dec 2022 00:27:11 +1030
Subject: [PATCH] PR29893, buffer overflow in display_debug_addr

	PR 29893
	* dwarf.c (display_debug_addr): Sanity check dwarf5 unit_length
	field.  Don't read past end.
---
 binutils/dwarf.c | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

diff --git a/binutils/dwarf.c b/binutils/dwarf.c
index b3039151ff6..c39c695863a 100644
--- a/binutils/dwarf.c
+++ b/binutils/dwarf.c
@@ -7731,8 +7731,13 @@ display_debug_addr (struct dwarf_section *section,
 	  SAFE_BYTE_GET_AND_INC (length, curr_header, 4, entry);
 	  if (length == 0xffffffff)
 	    SAFE_BYTE_GET_AND_INC (length, curr_header, 8, entry);
+	  if (length > (size_t) (section->start + section->size - curr_header))
+	    {
+	      warn (_("Corrupt %s section: unit_length field of %#" PRIx64
+		      " too large\n"), section->name, length);
+	      return 0;
+	    }
 	  end = curr_header + length;
-
 	  SAFE_BYTE_GET_AND_INC (version, curr_header, 2, entry);
 	  if (version != 5)
 	    warn (_("Corrupt %s section: expecting version number 5 in header but found %d instead\n"),
@@ -7746,7 +7751,7 @@ display_debug_addr (struct dwarf_section *section,
 	end = section->start + debug_addr_info [i + 1]->addr_base;
       header = end;
       idx = 0;
-      while (entry < end)
+      while ((size_t) (end - entry) >= address_size)
 	{
 	  uint64_t base = byte_get (entry, address_size);
 	  printf (_("\t%d:\t"), idx);
-- 
2.30.2