This is the mail archive of the
binutils@sourceware.org
mailing list for the binutils project.
[committed] PATCH: Properly check abbrev size
- From: "H.J. Lu" <hongjiu dot lu at intel dot com>
- To: binutils at sourceware dot org
- Date: Mon, 12 Jan 2015 13:38:32 -0800
- Subject: [committed] PATCH: Properly check abbrev size
- Authentication-results: sourceware.org; auth=none
- Reply-to: "H.J. Lu" <hjl dot tools at gmail dot com>
commit 72c61a0d1ef445f99305859b66450da60ec6e0cb
Author: Nick Clifton <nickc@redhat.com>
Date: Mon Jan 12 16:08:41 2015 +0000
More fixes for memory access errors when running readelf on fuzzed
binaries.
PR binutils/17531
* dwarf.c (process_debug_info): Check for abbrev_base being
* larger
than the section size.
(process_cu_tu_index): Use xcalloc2 to allocate the CU and TU
arrays.
(xcalloc2): New function. Like xcalloc, but checks for
overflow.
* dwarf.h (xcalloc2): Prototype.
caused:
FAIL: dwp_test_1.sh
FAIL: dwp_test_2.sh
in gold test.
abbrev_base is independent of abbrev_size. We should use abbrev_base +
abbrev_size to check abbrev section size.
* dwarf.c (process_debug_info): Properly check abbrev size.
---
binutils/ChangeLog | 4 ++++
binutils/dwarf.c | 9 +++++----
2 files changed, 9 insertions(+), 4 deletions(-)
diff --git a/binutils/ChangeLog b/binutils/ChangeLog
index af7689b..372230e 100644
--- a/binutils/ChangeLog
+++ b/binutils/ChangeLog
@@ -1,3 +1,7 @@
+2015-01-12 H.J. Lu <hongjiu.lu@intel.com>
+
+ * dwarf.c (process_debug_info): Properly check abbrev size.
+
2015-01-12 Nick Clifton <nickc@redhat.com>
PR binutils/17531
diff --git a/binutils/dwarf.c b/binutils/dwarf.c
index a7310c8..d82c89c 100644
--- a/binutils/dwarf.c
+++ b/binutils/dwarf.c
@@ -2467,10 +2467,11 @@ process_debug_info (struct dwarf_section *section,
(unsigned long) compunit.cu_abbrev_offset,
(unsigned long) abbrev_size);
/* PR 17531: file:4bcd9ce9. */
- else if (abbrev_base >= abbrev_size)
- warn (_("Debug info is corrupted, abbrev base (%lx) is larger than abbrev section size (%lx)\n"),
- (unsigned long) abbrev_base,
- (unsigned long) abbrev_size);
+ else if ((abbrev_base + abbrev_size)
+ > debug_displays [abbrev_sec].section.size)
+ warn (_("Debug info is corrupted, abbrev size (%lx) is larger than abbrev section size (%lx)\n"),
+ (unsigned long) abbrev_base + abbrev_size,
+ (unsigned long) debug_displays [abbrev_sec].section.size);
else
process_abbrev_section
(((unsigned char *) debug_displays [abbrev_sec].section.start
--
1.9.3