From d919194f08518c8bb9904f76c1077c4ac2037475 Mon Sep 17 00:00:00 2001 From: Alan Modra Date: Mon, 6 Mar 2023 10:43:16 +1030 Subject: [PATCH] Correct odd loop in ecoff lookup_line I can't see why this really odd looking loop was written the way it was in commit a877f5917f90, but it can result in a buffer overrun. * ecofflink.c (lookup_line): Don't swap in pdr at pdr_end. --- bfd/ecofflink.c | 9 +++------ 1 file changed, 3 insertions(+), 6 deletions(-) diff --git a/bfd/ecofflink.c b/bfd/ecofflink.c index 422ce57f430..00f1e3da404 100644 --- a/bfd/ecofflink.c +++ b/bfd/ecofflink.c @@ -2093,7 +2093,7 @@ lookup_line (bfd *abfd, because we iterate over every FDR rather than just ones with a base address less than or equal to 'offset'. */ bfd_signed_vma dist = -1, min_dist = -1; - char *pdr_hold; + char *pdr_hold = NULL; char *pdr_end; fdr_ptr = tab[i].fdr; @@ -2101,17 +2101,14 @@ lookup_line (bfd *abfd, pdr_ptr = ((char *) debug_info->external_pdr + fdr_ptr->ipdFirst * external_pdr_size); pdr_end = pdr_ptr + fdr_ptr->cpd * external_pdr_size; - (*debug_swap->swap_pdr_in) (abfd, pdr_ptr, &pdr); /* Find PDR that is closest to OFFSET. If pdr.prof is set, the procedure entry-point *may* be 0x10 below pdr.adr. We simply pretend that pdr.prof *implies* a lower entry-point. This is safe because it just means that may identify 4 NOPs in front of the function as belonging to the function. */ - for (pdr_hold = NULL; - pdr_ptr < pdr_end; - (pdr_ptr += external_pdr_size, - (*debug_swap->swap_pdr_in) (abfd, pdr_ptr, &pdr))) + for (; pdr_ptr < pdr_end; pdr_ptr += external_pdr_size) { + (*debug_swap->swap_pdr_in) (abfd, pdr_ptr, &pdr); if (offset >= (pdr.adr - 0x10 * pdr.prof)) { dist = offset - (pdr.adr - 0x10 * pdr.prof); -- 2.30.2