OpenE2K/binutils-gdb
12
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

PR25070, SEGV in function _bfd_dwarf2_find_nearest_line

Browse Source 
Evil testcase with two debug info sections, with sizes of 2aaaabac4ec1
and ffffd5555453b140 result in a total size of 1.  Reading the first
section of course overflows the buffer and tramples on other memory.

	PR 25070
	* dwarf2.c (_bfd_dwarf2_slurp_debug_info): Catch overflow of
	total_size calculation.
This commit is contained in:
Alan Modra 2019-10-09 10:47:13 +10:30
parent 41481f9e4e
commit 336bfbeb18
2 changed files with 16 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
bfd/ChangeLog
View File

@ -1,3 +1,9 @@
2019-10-09 Alan Modra <amodra@gmail.com>
PR 25070
* dwarf2.c (_bfd_dwarf2_slurp_debug_info): Catch overflow of
total_size calculation.
2019-10-08 Alan Modra <amodra@gmail.com>
PR 25078

11
bfd/dwarf2.c
View File

@ -4439,7 +4439,16 @@ _bfd_dwarf2_slurp_debug_info (bfd *abfd, bfd *debug_bfd,
for (total_size = 0;
msec;
msec = find_debug_info (debug_bfd, debug_sections, msec))
total_size += msec->size;
{
/* Catch PR25070 testcase overflowing size calculation here. */
if (total_size + msec->size < total_size
|| total_size + msec->size < msec->size)
{
bfd_set_error (bfd_error_no_memory);
return FALSE;
}
total_size += msec->size;
}
stash->info_ptr_memory = (bfd_byte *) bfd_malloc (total_size);
if (stash->info_ptr_memory == NULL)