Prevent illegal memory accesses triggerd by intger overflow when parsing corrupt DWARF information on a 32-bit host.

PR 22905 * dwarf.c (display_debug_ranges): Check that the offset loaded from the range_entry structure is valid.
2018-03-01 16:14:08 +00:00 · 2018-03-01 16:14:08 +00:00 · d11ae95ea3
parent 0cb7c7b0bb
commit d11ae95ea3
2 changed files with 21 additions and 0 deletions
--- a/binutils/ChangeLog
+++ b/binutils/ChangeLog
@ -1,3 +1,9 @@
+2018-03-01  Nick Clifton  <nickc@redhat.com>
+
+	PR 22905
+	* dwarf.c (display_debug_ranges): Check that the offset loaded
+	from the range_entry structure is valid.
+
 2018-03-01  Alan Modra  <amodra@gmail.com>

 	* configure.ac (ALL_LINGUAS): Add sr.  Sort.
--- a/binutils/dwarf.c
+++ b/binutils/dwarf.c
@ -387,6 +387,9 @@ read_uleb128 (unsigned char * data,
    }								\
  while (0)

+/* Read AMOUNT bytes from PTR and store them in VAL as an unsigned value.
+   Checks to make sure that the read will not reach or pass END
+   and that VAL is big enough to hold AMOUNT bytes.  */
 #define SAFE_BYTE_GET(VAL, PTR, AMOUNT, END)	\
  do						\
    {						\
@ -415,6 +418,7 @@ read_uleb128 (unsigned char * data,
    }						\
  while (0)

+/* Like SAFE_BYTE_GET, but also increments PTR by AMOUNT.  */
 #define SAFE_BYTE_GET_AND_INC(VAL, PTR, AMOUNT, END)	\
  do							\
    {							\
@ -423,6 +427,7 @@ read_uleb128 (unsigned char * data,
    }							\
  while (0)

+/* Like SAFE_BYTE_GET, but reads a signed value.  */
 #define SAFE_SIGNED_BYTE_GET(VAL, PTR, AMOUNT, END)	\
  do							\
    {							\
@ -441,6 +446,7 @@ read_uleb128 (unsigned char * data,
    }							\
  while (0)

+/* Like SAFE_SIGNED_BYTE_GET, but also increments PTR by AMOUNT.  */
 #define SAFE_SIGNED_BYTE_GET_AND_INC(VAL, PTR, AMOUNT, END)	\
  do								\
    {								\
@ -6543,6 +6549,7 @@ display_debug_ranges_list (unsigned char *start, unsigned char *finish,
 	break;
      SAFE_SIGNED_BYTE_GET_AND_INC (end, start, pointer_size, finish);

+      
      printf ("    %8.8lx ", offset);

      if (begin == 0 && end == 0)
@ -6810,6 +6817,13 @@ display_debug_ranges (struct dwarf_section *section,
 	  continue;
 	}

+      if (next < section_begin || next >= finish)
+	{
+	  warn (_("Corrupt offset (%#8.8lx) in range entry %u\n"),
+		(unsigned long) offset, i);
+	  continue;
+	}
+
      if (dwarf_check != 0 && i > 0)
 	{
 	  if (start < next)
@ -6825,6 +6839,7 @@ display_debug_ranges (struct dwarf_section *section,
 		    (unsigned long) (next - section_begin), section->name);
 	    }
 	}
+
      start = next;
      last_start = next;