This is the mail archive of the
binutils@sourceware.org
mailing list for the binutils project.
[pr/17940] bfd/dwarf2.c: fix overflow bug in .dwarf_line
- From: DJ Delorie <dj at redhat dot com>
- To: binutils at sourceware dot org
- Date: Thu, 12 Feb 2015 01:46:44 -0500
- Subject: [pr/17940] bfd/dwarf2.c: fix overflow bug in .dwarf_line
- Authentication-results: sourceware.org; auth=none
If you have an unlinked object compiled with -ftext-sections,
you get:
RELOCATION RECORDS FOR [.debug_line]:
OFFSET TYPE VALUE
00000000 R_MSP430_ABS32 .debug_line_end-0x00000004
with .debug_line_end undefined (i.e. has a value of zero), which
results in -4 (0xfffffffc) being stored during "simple_reloc". This
is interpreted as a very large positive number. This patch checks for
that special case, and arbitrary overflow cases. OK?
diff --git a/bfd/dwarf2.c b/bfd/dwarf2.c
index ccc1365..bfb1c48 100644
--- a/bfd/dwarf2.c
+++ b/bfd/dwarf2.c
@@ -1629,6 +1629,16 @@ decode_line_info (struct comp_unit *unit, struct dwarf2_debug *stash)
line_ptr += 4;
offset_size = 8;
}
+ if ((lh.total_length & 0xffffffffUL) == 0xfffffffcUL)
+ {
+ /* Unlinked object with "empty" table might have this. */
+ lh.total_length = 0;
+ }
+
+ /* Avoid buffer overflow. */
+ if (lh.total_length + 4 > stash->dwarf_line_size)
+ lh.total_length = stash->dwarf_line_size - 4;
+
line_end = line_ptr + lh.total_length;
lh.version = read_2_bytes (abfd, line_ptr);
if (lh.version < 2 || lh.version > 4)