This is the mail archive of the binutils@sourceware.org mailing list for the binutils project.

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]
Other format:	[Raw text]

[pr/17940] bfd/dwarf2.c: fix overflow bug in .dwarf_line

From: DJ Delorie <dj at redhat dot com>
To: binutils at sourceware dot org
Date: Thu, 12 Feb 2015 01:46:44 -0500
Subject: [pr/17940] bfd/dwarf2.c: fix overflow bug in .dwarf_line
Authentication-results: sourceware.org; auth=none

If you have an unlinked object compiled with -ftext-sections,
you get:

RELOCATION RECORDS FOR [.debug_line]:
OFFSET   TYPE              VALUE 
00000000 R_MSP430_ABS32    .debug_line_end-0x00000004

with .debug_line_end undefined (i.e. has a value of zero), which
results in -4 (0xfffffffc) being stored during "simple_reloc".  This
is interpreted as a very large positive number.  This patch checks for
that special case, and arbitrary overflow cases.  OK?

diff --git a/bfd/dwarf2.c b/bfd/dwarf2.c
index ccc1365..bfb1c48 100644
--- a/bfd/dwarf2.c
+++ b/bfd/dwarf2.c
@@ -1629,6 +1629,16 @@ decode_line_info (struct comp_unit *unit, struct dwarf2_debug *stash)
       line_ptr += 4;
       offset_size = 8;
     }
+  if ((lh.total_length & 0xffffffffUL) == 0xfffffffcUL)
+    {
+      /* Unlinked object with "empty" table might have this.  */
+      lh.total_length = 0;
+    }
+
+  /* Avoid buffer overflow.  */
+  if (lh.total_length + 4 > stash->dwarf_line_size)
+    lh.total_length = stash->dwarf_line_size - 4;
+
   line_end = line_ptr + lh.total_length;
   lh.version = read_2_bytes (abfd, line_ptr);
   if (lh.version < 2 || lh.version > 4)

Follow-Ups:
- Re: [pr/17940] bfd/dwarf2.c: fix overflow bug in .dwarf_line
  - From: Nicholas Clifton

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]