From fa501b69309ccb03ec957101f24109ed7f737733 Mon Sep 17 00:00:00 2001 From: Nick Clifton Date: Fri, 16 Dec 2022 12:06:43 +0000 Subject: [PATCH] Fix a potential illegal memory access when parsing corrupt DWARF information. PR 29908 * dwarf.c (display_debug_addr): Check for corrupt header lengths. --- binutils/ChangeLog | 5 +++++ binutils/dwarf.c | 21 ++++++++++++++++++++- 2 files changed, 25 insertions(+), 1 deletion(-) diff --git a/binutils/ChangeLog b/binutils/ChangeLog index 6ec81ebd099..16bddf73c07 100644 --- a/binutils/ChangeLog +++ b/binutils/ChangeLog @@ -1,3 +1,8 @@ +2022-12-16 Nick Clifton + + PR 29908 + * dwarf.c (display_debug_addr): Check for corrupt header lengths. + 2022-12-01 Nick Clifton PR 25202 diff --git a/binutils/dwarf.c b/binutils/dwarf.c index 33ee41cb6c9..533f1183012 100644 --- a/binutils/dwarf.c +++ b/binutils/dwarf.c @@ -7738,6 +7738,12 @@ display_debug_addr (struct dwarf_section *section, return 0; } end = curr_header + length; + if (end < entry) + { + warn (_("Corrupt %s section header: length field (%lx) is too small\n"), + section->name, length); + return 0; + } SAFE_BYTE_GET_AND_INC (version, curr_header, 2, entry); if (version != 5) warn (_("Corrupt %s section: expecting version number 5 in header but found %d instead\n"), @@ -7748,9 +7754,22 @@ display_debug_addr (struct dwarf_section *section, address_size += segment_selector_size; } else - end = section->start + debug_addr_info [i + 1]->addr_base; + { + end = section->start + debug_addr_info [i + 1]->addr_base; + + if (end < entry) + { + warn (_("Corrupt %s section: address base of entry %u (%lx) is less than entry %u (%lx)\n"), + section->name, + i, debug_addr_info [i]->addr_base, + i + 1, debug_addr_info [i + 1]->addr_base); + return 0; + } + } + header = end; idx = 0; + while ((size_t) (end - entry) >= address_size) { uint64_t base = byte_get (entry, address_size); -- 2.30.2