PR22239 - invalid memory read in display_debug_frames

Pointer comparisons have traps for the unwary.  After adding a large
unknown value to "start", the test "start < end" depends on where
"start" is originally in memory.

	PR 22239
	* dwarf.c (read_cie): Don't compare "start" and "end" pointers
	after adding a possibly wild length to "start", compare the length
	to the difference of the pointers instead.  Remove now redundant
	"negative" length test.
This commit is contained in:
Alan Modra 2017-10-05 17:32:18 +10:30
parent c91933e9e3
commit 9c0f3d3f20
2 changed files with 12 additions and 11 deletions

View File

@ -1,3 +1,11 @@
2017-10-05 Alan Modra <amodra@gmail.com>
PR 22239
* dwarf.c (read_cie): Don't compare "start" and "end" pointers
after adding a possibly wild length to "start", compare the length
to the difference of the pointers instead. Remove now redundant
"negative" length test.
2017-10-05 Tristan Gingold <tgingold@free.fr>
* MAINTAINERS: Update email address. Redirect release maintainer

View File

@ -7001,14 +7001,14 @@ read_cie (unsigned char *start, unsigned char *end,
{
READ_ULEB (augmentation_data_len);
augmentation_data = start;
start += augmentation_data_len;
/* PR 17512: file: 11042-2589-0.004. */
if (start > end)
if (augmentation_data_len > (size_t) (end - start))
{
warn (_("Augmentation data too long: %#lx, expected at most %#lx\n"),
augmentation_data_len, (long)((end - start) + augmentation_data_len));
augmentation_data_len, (unsigned long) (end - start));
return end;
}
start += augmentation_data_len;
}
if (augmentation_data_len)
@ -7021,14 +7021,7 @@ read_cie (unsigned char *start, unsigned char *end,
q = augmentation_data;
qend = q + augmentation_data_len;
/* PR 17531: file: 015adfaa. */
if (qend < q)
{
warn (_("Negative augmentation data length: 0x%lx"), augmentation_data_len);
augmentation_data_len = 0;
}
while (p < end && q < augmentation_data + augmentation_data_len)
while (p < end && q < qend)
{
if (*p == 'L')
q++;