From: Alan Modra Date: Mon, 19 Aug 2019 10:54:35 +0000 (+0930) Subject: PR24898, An out-of-bounds read occured in display_data X-Git-Url: http://drtracing.org/?a=commitdiff_plain;h=d292364e95fc9c8230b678d9026f285850074c02;p=deliverable%2Fbinutils-gdb.git PR24898, An out-of-bounds read occured in display_data Given 32-bit pointers and a 64-bit bfd_size_type, it is relatively easy to construct a value of augmentation_data_len (eg. 0x100000000) that won't fail pointer checks but will print without bounds. PR 24898 * dwarf.c (display_debug_frames): Use the read_cie check and error for augmentation data length. --- diff --git a/binutils/ChangeLog b/binutils/ChangeLog index 7605a40395..f629282e47 100644 --- a/binutils/ChangeLog +++ b/binutils/ChangeLog @@ -1,3 +1,9 @@ +2019-08-19 Alan Modra + + PR 24898 + * dwarf.c (display_debug_frames): Use the read_cie check and error + for augmentation data length. + 2019-08-17 Alan Modra PR 24911 diff --git a/binutils/dwarf.c b/binutils/dwarf.c index b4738ebb8d..e792a17018 100644 --- a/binutils/dwarf.c +++ b/binutils/dwarf.c @@ -7822,18 +7822,18 @@ display_debug_frames (struct dwarf_section *section, { READ_ULEB (augmentation_data_len); augmentation_data = start; - start += augmentation_data_len; /* PR 17512 file: 722-8446-0.004 and PR 22386. */ - if (start >= end - || ((bfd_signed_vma) augmentation_data_len) < 0 - || augmentation_data > start) + if (augmentation_data_len > (bfd_size_type) (end - start)) { - warn (_("Corrupt augmentation data length: 0x%s\n"), - dwarf_vmatoa ("x", augmentation_data_len)); + warn (_("Augmentation data too long: 0x%s, " + "expected at most %#lx\n"), + dwarf_vmatoa ("x", augmentation_data_len), + (unsigned long) (end - start)); start = end; augmentation_data = NULL; augmentation_data_len = 0; } + start += augmentation_data_len; } printf ("\n%08lx %s %s FDE cie=%08lx pc=",