This is the mail archive of the binutils@sourceware.org mailing list for the binutils project.

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]
Other format:	[Raw text]

[committed] PATCH: Properly check abbrev size

From: "H.J. Lu" <hongjiu dot lu at intel dot com>
To: binutils at sourceware dot org
Date: Mon, 12 Jan 2015 13:38:32 -0800
Subject: [committed] PATCH: Properly check abbrev size
Authentication-results: sourceware.org; auth=none
Reply-to: "H.J. Lu" <hjl dot tools at gmail dot com>

commit 72c61a0d1ef445f99305859b66450da60ec6e0cb
Author: Nick Clifton <nickc@redhat.com>
Date:   Mon Jan 12 16:08:41 2015 +0000

    More fixes for memory access errors when running readelf on fuzzed
binaries.
    
    	PR binutils/17531
    	* dwarf.c (process_debug_info): Check for abbrev_base being
    	* larger
    	than the section size.
    	(process_cu_tu_index): Use xcalloc2 to allocate the CU and TU
    	arrays.
    	(xcalloc2): New function.  Like xcalloc, but checks for
overflow.
    	* dwarf.h (xcalloc2): Prototype.

caused:

FAIL: dwp_test_1.sh
FAIL: dwp_test_2.sh

in gold test.

abbrev_base is independent of abbrev_size.  We should use abbrev_base +
abbrev_size to check abbrev section size.

	* dwarf.c (process_debug_info): Properly check abbrev size.
---
 binutils/ChangeLog | 4 ++++
 binutils/dwarf.c   | 9 +++++----
 2 files changed, 9 insertions(+), 4 deletions(-)

diff --git a/binutils/ChangeLog b/binutils/ChangeLog
index af7689b..372230e 100644
--- a/binutils/ChangeLog
+++ b/binutils/ChangeLog
@@ -1,3 +1,7 @@
+2015-01-12  H.J. Lu  <hongjiu.lu@intel.com>
+
+	* dwarf.c (process_debug_info): Properly check abbrev size.
+
 2015-01-12  Nick Clifton  <nickc@redhat.com>
 
 	PR binutils/17531
diff --git a/binutils/dwarf.c b/binutils/dwarf.c
index a7310c8..d82c89c 100644
--- a/binutils/dwarf.c
+++ b/binutils/dwarf.c
@@ -2467,10 +2467,11 @@ process_debug_info (struct dwarf_section *section,
 	      (unsigned long) compunit.cu_abbrev_offset,
 	      (unsigned long) abbrev_size);
       /* PR 17531: file:4bcd9ce9.  */ 
-      else if (abbrev_base >= abbrev_size)
-	warn (_("Debug info is corrupted, abbrev base (%lx) is larger than abbrev section size (%lx)\n"),
-	      (unsigned long) abbrev_base,
-	      (unsigned long) abbrev_size);
+      else if ((abbrev_base + abbrev_size)
+	       > debug_displays [abbrev_sec].section.size)
+	warn (_("Debug info is corrupted, abbrev size (%lx) is larger than abbrev section size (%lx)\n"),
+	      (unsigned long) abbrev_base + abbrev_size,
+	      (unsigned long) debug_displays [abbrev_sec].section.size);
       else
 	process_abbrev_section
 	  (((unsigned char *) debug_displays [abbrev_sec].section.start
-- 
1.9.3

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]