PR24898, An out-of-bounds read occured in display_data
Given 32-bit pointers and a 64-bit bfd_size_type, it is relatively easy to construct a value of augmentation_data_len (eg. 0x100000000) that won't fail pointer checks but will print without bounds. PR 24898 * dwarf.c (display_debug_frames): Use the read_cie check and error for augmentation data length.
This commit is contained in:
parent
903b777dde
commit
d292364e95
|
@ -1,3 +1,9 @@
|
|||
2019-08-19 Alan Modra <amodra@gmail.com>
|
||||
|
||||
PR 24898
|
||||
* dwarf.c (display_debug_frames): Use the read_cie check and error
|
||||
for augmentation data length.
|
||||
|
||||
2019-08-17 Alan Modra <amodra@gmail.com>
|
||||
|
||||
PR 24911
|
||||
|
|
|
@ -7822,18 +7822,18 @@ display_debug_frames (struct dwarf_section *section,
|
|||
{
|
||||
READ_ULEB (augmentation_data_len);
|
||||
augmentation_data = start;
|
||||
start += augmentation_data_len;
|
||||
/* PR 17512 file: 722-8446-0.004 and PR 22386. */
|
||||
if (start >= end
|
||||
|| ((bfd_signed_vma) augmentation_data_len) < 0
|
||||
|| augmentation_data > start)
|
||||
if (augmentation_data_len > (bfd_size_type) (end - start))
|
||||
{
|
||||
warn (_("Corrupt augmentation data length: 0x%s\n"),
|
||||
dwarf_vmatoa ("x", augmentation_data_len));
|
||||
warn (_("Augmentation data too long: 0x%s, "
|
||||
"expected at most %#lx\n"),
|
||||
dwarf_vmatoa ("x", augmentation_data_len),
|
||||
(unsigned long) (end - start));
|
||||
start = end;
|
||||
augmentation_data = NULL;
|
||||
augmentation_data_len = 0;
|
||||
}
|
||||
start += augmentation_data_len;
|
||||
}
|
||||
|
||||
printf ("\n%08lx %s %s FDE cie=%08lx pc=",
|
||||
|
|
Loading…
Reference in New Issue