42 lines
1.3 KiB
Diff
42 lines
1.3 KiB
Diff
From 7e030e9e32ad36334dd5ca6781f619f52095ceed Mon Sep 17 00:00:00 2001
|
|
From: Alan Modra <amodra@gmail.com>
|
|
Date: Wed, 9 Oct 2019 10:47:13 +1030
|
|
Subject: [PATCH 2/2] PR25070, SEGV in function _bfd_dwarf2_find_nearest_line
|
|
|
|
Evil testcase with two debug info sections, with sizes of 2aaaabac4ec1
|
|
and ffffd5555453b140 result in a total size of 1. Reading the first
|
|
section of course overflows the buffer and tramples on other memory.
|
|
|
|
PR 25070
|
|
* dwarf2.c (_bfd_dwarf2_slurp_debug_info): Catch overflow of
|
|
total_size calculation.
|
|
---
|
|
bfd/dwarf2.c | 11 ++++++++++-
|
|
1 file changed, 10 insertions(+), 1 deletion(-)
|
|
|
|
diff --git a/bfd/dwarf2.c b/bfd/dwarf2.c
|
|
index af312b30d5..26bfb25eb3 100644
|
|
--- a/bfd/dwarf2.c
|
|
+++ b/bfd/dwarf2.c
|
|
@@ -4424,7 +4424,16 @@ _bfd_dwarf2_slurp_debug_info (bfd *abfd, bfd *debug_bfd,
|
|
for (total_size = 0;
|
|
msec;
|
|
msec = find_debug_info (debug_bfd, debug_sections, msec))
|
|
- total_size += msec->size;
|
|
+ {
|
|
+ /* Catch PR25070 testcase overflowing size calculation here. */
|
|
+ if (total_size + msec->size < total_size
|
|
+ || total_size + msec->size < msec->size)
|
|
+ {
|
|
+ bfd_set_error (bfd_error_no_memory);
|
|
+ return FALSE;
|
|
+ }
|
|
+ total_size += msec->size;
|
|
+ }
|
|
|
|
stash->info_ptr_memory = (bfd_byte *) bfd_malloc (total_size);
|
|
if (stash->info_ptr_memory == NULL)
|
|
--
|
|
2.19.1
|
|
|