PR24898, An out-of-bounds read occured in display_data

Given 32-bit pointers and a 64-bit bfd_size_type, it is relatively easy to construct a value of augmentation_data_len (eg. 0x100000000) that won't fail pointer checks but will print without bounds. PR 24898 * dwarf.c (display_debug_frames): Use the read_cie check and error for augmentation data length.
2019-08-19 20:24:35 +09:30 · 2019-08-19 20:24:35 +09:30 · d292364e95
parent 903b777dde
commit d292364e95
2 changed files with 12 additions and 6 deletions
--- a/binutils/ChangeLog
+++ b/binutils/ChangeLog
@ -1,3 +1,9 @@
+2019-08-19  Alan Modra  <amodra@gmail.com>
+
+	PR 24898
+	* dwarf.c (display_debug_frames): Use the read_cie check and error
+	for augmentation data length.
+
 2019-08-17  Alan Modra  <amodra@gmail.com>

 	PR 24911
--- a/binutils/dwarf.c
+++ b/binutils/dwarf.c
@ -7822,18 +7822,18 @@ display_debug_frames (struct dwarf_section *section,
 	    {
 	      READ_ULEB (augmentation_data_len);
 	      augmentation_data = start;
-	      start += augmentation_data_len;
 	      /* PR 17512 file: 722-8446-0.004 and PR 22386.  */
-	      if (start >= end
-		  || ((bfd_signed_vma) augmentation_data_len) < 0
-		  || augmentation_data > start)
+	      if (augmentation_data_len > (bfd_size_type) (end - start))
 		{
-		  warn (_("Corrupt augmentation data length: 0x%s\n"),
-			dwarf_vmatoa ("x", augmentation_data_len));
+		  warn (_("Augmentation data too long: 0x%s, "
+			  "expected at most %#lx\n"),
+			dwarf_vmatoa ("x", augmentation_data_len),
+			(unsigned long) (end - start));
 		  start = end;
 		  augmentation_data = NULL;
 		  augmentation_data_len = 0;
 		}
+	      start += augmentation_data_len;
 	    }

 	  printf ("\n%08lx %s %s FDE cie=%08lx pc=",