PR gdb/15827

Install some sanity checks that sibling DIE offsets are not beyond the defined limits of the DWARF input buffer in read_partial_die and skip_one_die. 2014-03-20 Keith Seitz <keiths@redhat.com> PR gdb/15827 * dwarf2read.c (skip_one_die): Check that all relative-offset sibling DIEs fall within range of the current reader's buffer. (read_partial_die): Likewise. 2014-03-20 Keith Seitz <keiths@redhat.com> PR gdb/15827 * gdb.dwarf2/corrupt.c: New file. * gdb.dwarf2/corrupt.exp: New file.
2014-04-16 14:39:10 -07:00 · 2014-04-16 14:39:10 -07:00 · 22869d73e1
commit 22869d73e1
parent c4f87ca6db
5 changed files with 118 additions and 0 deletions
--- a/gdb/ChangeLog
+++ b/gdb/ChangeLog
@ -1,3 +1,10 @@
+2014-04-16  Keith Seitz  <keiths@redhat.com>
+
+	PR gdb/15827
+	* dwarf2read.c (skip_one_die): Check that all relative-offset
+	sibling DIEs fall within range of the current reader's buffer.
+	(read_partial_die): Likewise.
+
 2014-04-16  Keith Seitz  <keiths@redhat.com>

 	PR c++/16597
--- a/gdb/dwarf2read.c
+++ b/gdb/dwarf2read.c
@ -7104,6 +7104,8 @@ skip_one_die (const struct die_reader_specs *reader, const gdb_byte *info_ptr,
 	      if (sibling_ptr < info_ptr)
 		complaint (&symfile_complaints,
 			   _("DW_AT_sibling points backwards"));
+	      else if (sibling_ptr > reader->buffer_end)
+		dwarf2_section_buffer_overflow_complaint (reader->die_section);
 	      else
 		return sibling_ptr;
 	    }
@ -15502,6 +15504,8 @@ read_partial_die (const struct die_reader_specs *reader,
 	      if (sibling_ptr < info_ptr)
 		complaint (&symfile_complaints,
 			   _("DW_AT_sibling points backwards"));
+	      else if (sibling_ptr > reader->buffer_end)
+		dwarf2_section_buffer_overflow_complaint (reader->die_section);
 	      else
 		part_die->sibling = sibling_ptr;
 	    }
--- a/gdb/testsuite/ChangeLog
+++ b/gdb/testsuite/ChangeLog
@ -1,3 +1,9 @@
+2014-04-16  Keith Seitz  <keiths@redhat.com>
+
+	PR gdb/15827
+	* gdb.dwarf2/corrupt.c: New file.
+	* gdb.dwarf2/corrupt.exp: New file.
+
 2014-04-16  Keith Seitz  <keiths@redhat.com>

 	PR c++/16597
--- a/gdb/testsuite/gdb.dwarf2/corrupt.c
+++ b/gdb/testsuite/gdb.dwarf2/corrupt.c
@ -0,0 +1,24 @@
+/* This testcase is part of GDB, the GNU debugger.
+
+   Copyright 2014 Free Software Foundation, Inc.
+
+   This program is free software; you can redistribute it and/or modify
+   it under the terms of the GNU General Public License as published by
+   the Free Software Foundation; either version 3 of the License, or
+   (at your option) any later version.
+
+   This program is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+   GNU General Public License for more details.
+
+   You should have received a copy of the GNU General Public License
+   along with this program.  If not, see <http://www.gnu.org/licenses/>.  */
+
+/* Dummy main function.  */
+
+int
+main (void)
+{
+  return 0;
+}
--- a/gdb/testsuite/gdb.dwarf2/corrupt.exp
+++ b/gdb/testsuite/gdb.dwarf2/corrupt.exp
@ -0,0 +1,77 @@
+# Copyright 2014 Free Software Foundation, Inc.
+
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+# Test corrupt DWARF input
+# PR gdb/15827
+
+load_lib dwarf.exp
+
+if {![dwarf2_support]} {
+    return 0
+}
+
+standard_testfile corrupt.c corrupt.S
+
+# Make the DWARF used for the test.
+#
+# Here we put DW_AT_sibling DIEs into the output which
+# point off into la-la land.  The whole purpose is to simulate
+# corrupt DWARF information and make sure that GDB can handle it
+# without crashing.
+
+set asm_file [standard_output_file $srcfile2]
+Dwarf::assemble $asm_file {
+    cu {} {
+	compile_unit {} {
+	    declare_labels int_label
+
+	    int_label: base_type {
+		{byte_size 4}
+		{name "int"}
+	    }
+
+	    enumeration_type {
+		{name "ENUM"}
+		{byte_size 4}
+	    } {
+		enumerator {
+		    {name "A"}
+		    {const_value 0}
+		}
+		enumerator {
+		    {name "B"}
+		    {const_value 1}
+		    {sibling 12345678 DW_FORM_ref4}
+		} {
+		    base_type {
+			{byte_size 1}
+			{name "char"}
+		    }
+		}
+		array_type {
+		    {type :$int_label}
+		    {sibling 12345678 DW_FORM_ref4}
+		}
+	    }
+	}
+    }
+}
+
+if {[prepare_for_testing $testfile.exp $testfile \
+	 [list $srcfile $asm_file] {nodebug}]} {
+    return -1
+}
+
+gdb_test "print 1" "= 1" "recover from corrupt DWARF"