PR22169, heap-based buffer overflow in read_1_byte

The .debug_line header length field doesn't include the length field itself, ie. it's the size of the rest of .debug_line. PR 22169 * dwarf2.c (decode_line_info): Correct .debug_line unit_length check.
2017-09-24 14:36:16 +09:30 · 2017-09-24 14:36:16 +09:30 · 515f23e63c
parent 0d76029f92
commit 515f23e63c
2 changed files with 9 additions and 3 deletions
--- a/bfd/ChangeLog
+++ b/bfd/ChangeLog
@ -1,3 +1,8 @@
+2017-09-24  Alan Modra  <amodra@gmail.com>
+
+	PR 22169
+	* dwarf2.c (decode_line_info): Correct .debug_line unit_length check.
+
 2017-09-24  Alan Modra  <amodra@gmail.com>

 	PR 22167
--- a/bfd/dwarf2.c
+++ b/bfd/dwarf2.c
@ -2096,12 +2096,13 @@ decode_line_info (struct comp_unit *unit, struct dwarf2_debug *stash)
      offset_size = 8;
    }

-  if (unit->line_offset + lh.total_length > stash->dwarf_line_size)
+  if (lh.total_length > (size_t) (line_end - line_ptr))
    {
      _bfd_error_handler
 	/* xgettext: c-format */
-	(_("Dwarf Error: Line info data is bigger (%#Lx) than the space remaining in the section (%#Lx)"),
-	 lh.total_length, stash->dwarf_line_size - unit->line_offset);
+	(_("Dwarf Error: Line info data is bigger (%#Lx)"
+	   " than the space remaining in the section (%#lx)"),
+	 lh.total_length, (unsigned long) (line_end - line_ptr));
      bfd_set_error (bfd_error_bad_value);
      return NULL;
    }