FreeChainXenon/binutils-gdb
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

PR25018, readelf crash on 32bits

Browse source 
Pointer comparisons after adding an offset just don't work to catch
overflow when the offset is a larger type than the pointer.

	PR 25018
	* dwarf.c (get_type_signedness): Delete ineffective pointer
	comparison check.  Properly range check uvalue offset on
	recursive call.
	(read_and_display_attr_value): Range check uvalue offset before
	calling get_type_signedness.
This commit is contained in:
Alan Modra 2019-09-23 08:53:07 +09:30
parent a13ba30840
commit b3fe587ed2
2 changed files with 13 additions and 4 deletions
Download patch file Download diff file Expand all files Collapse all files

8
binutils/dwarf.c
View file

@ -1999,9 +1999,6 @@ get_type_signedness (unsigned char * start,
* is_signed = FALSE;
if (data >= end)
return;
abbrev_number = read_uleb128 (data, & bytes_read, end);
data += bytes_read;
@ -2042,6 +2039,8 @@ get_type_signedness (unsigned char * start,
NB/ We need to avoid infinite recursion. */
return;
}
if (uvalue >= (size_t) (end - start))
return;
get_type_signedness (start, start + uvalue, end, pointer_size,
offset_size, dwarf_version, is_signed, TRUE);
break;
@ -2725,7 +2724,8 @@ read_and_display_attr_value (unsigned long attribute,
switch (attribute)
{
case DW_AT_type:
if (level >= 0 && level < MAX_CU_NESTING)
if (level >= 0 && level < MAX_CU_NESTING
&& uvalue < (size_t) (end - start))
{
bfd_boolean is_signed = FALSE;