PR29893, buffer overflow in display_debug_addr
Checks
Commit Message
PR 29893
* dwarf.c (display_debug_addr): Sanity check dwarf5 unit_length
field. Don't read past end.
@@ -7731,8 +7731,13 @@ display_debug_addr (struct dwarf_section *section,
SAFE_BYTE_GET_AND_INC (length, curr_header, 4, entry);
if (length == 0xffffffff)
SAFE_BYTE_GET_AND_INC (length, curr_header, 8, entry);
+ if (length > (size_t) (section->start + section->size - curr_header))
+ {
+ warn (_("Corrupt %s section: unit_length field of %#" PRIx64
+ " too large\n"), section->name, length);
+ return 0;
+ }
end = curr_header + length;
-
SAFE_BYTE_GET_AND_INC (version, curr_header, 2, entry);
if (version != 5)
warn (_("Corrupt %s section: expecting version number 5 in header but found %d instead\n"),
@@ -7746,7 +7751,7 @@ display_debug_addr (struct dwarf_section *section,
end = section->start + debug_addr_info [i + 1]->addr_base;
header = end;
idx = 0;
- while (entry < end)
+ while ((size_t) (end - entry) >= address_size)
{
uint64_t base = byte_get (entry, address_size);
printf (_("\t%d:\t"), idx);