Fix potential illegal memory accesses when parsing corrupt DWARF data.

PR 29914 * dwarf.c (fetch_indexed_value): Fail if the section is not big enough to contain a header size field. (display_debug_addr): Fail if the computed address size is too big or too small.
2022-12-19 11:13:46 +00:00 · 2022-12-19 11:13:46 +00:00 · 42f39fdedc
commit 42f39fdedc
parent d14b3ea1c8
2 changed files with 22 additions and 0 deletions
--- a/binutils/ChangeLog
+++ b/binutils/ChangeLog
@ -1,3 +1,11 @@
+2022-12-19  Nick Clifton  <nickc@redhat.com>
+
+	PR 29914
+	* dwarf.c (fetch_indexed_value): Fail if the section is not big
+	enough to contain a header size field.
+	(display_debug_addr): Fail if the computed address size is too big
+	or too small.
+
 2022-12-16  Nick Clifton  <nickc@redhat.com>

 	PR 29908
--- a/binutils/dwarf.c
+++ b/binutils/dwarf.c
@ -739,6 +739,13 @@ fetch_indexed_value (uint64_t idx,
      return -1;
    }

+  if (section->size < 4)
+    {
+      warn (_("Section %s is too small to contain an value indexed from another section!\n"),
+	    section->name);
+      return -1;
+    }
+
  uint32_t pointer_size, bias;

  if (byte_get (section->start, 4) == 0xffffffff)
@ -7770,6 +7777,13 @@ display_debug_addr (struct dwarf_section *section,
      header = end;
      idx = 0;

+      if (address_size < 1 || address_size > sizeof (uint64_t))
+	{
+	  warn (_("Corrupt %s section: address size (%x) is wrong"),
+		section->name, address_size);
+	  return 0;
+	}
+
      while ((size_t) (end - entry) >= address_size)
 	{
 	  uint64_t base = byte_get (entry, address_size);