[PATCH] readelf, libdw: Correct .debug_line overflow check for unit_length.

Tue, 16 Dec 2014 07:20:42 -0800 

Signed-off-by: Mark Wielaard <[email protected]>
---
 libdw/ChangeLog           | 5 +++--
 libdw/dwarf_getsrclines.c | 4 ++--
 src/ChangeLog             | 5 +++++
 src/readelf.c             | 4 ++--
 4 files changed, 12 insertions(+), 6 deletions(-)

diff --git a/libdw/ChangeLog b/libdw/ChangeLog
index 757fb23..0592220 100644
--- a/libdw/ChangeLog
+++ b/libdw/ChangeLog
@@ -1,6 +1,7 @@
-2014-12-15  Mark Wielaard  <[email protected]>
+2014-12-16  Mark Wielaard  <[email protected]>
 
-2014-12-15  Mark Wielaard  <[email protected]>
+       * dwarf_getsrclines.c (read_srclines): Correct overflow check for
+       unit_length.
 
 2014-12-15  Mark Wielaard  <[email protected]>
 
diff --git a/libdw/dwarf_getsrclines.c b/libdw/dwarf_getsrclines.c
index d50a17d..d477944 100644
--- a/libdw/dwarf_getsrclines.c
+++ b/libdw/dwarf_getsrclines.c
@@ -113,8 +113,8 @@ read_srclines (Dwarf *dbg,
     }
 
   /* Check whether we have enough room in the section.  */
-  if (unit_length < 2 + length + 5 * 1
-      || unlikely (linep + unit_length > lineendp))
+  if (unlikely (unit_length > (size_t) (lineendp - linep)
+      || unit_length < 2 + length + 5 * 1))
     goto invalid_data;
   lineendp = linep + unit_length;
 
diff --git a/src/ChangeLog b/src/ChangeLog
index 1ca1540..1dc1957 100644
--- a/src/ChangeLog
+++ b/src/ChangeLog
@@ -1,5 +1,10 @@
 2014-12-16  Mark Wielaard  <[email protected]>
 
+       * readelf.c (print_debug_line_section): Correct overflow check for
+       unit_length.
+
+2014-12-16  Mark Wielaard  <[email protected]>
+
        * elfcmp.c (compare_Elf32_Word): Make sure (unsigned) Elf32_Word
        difference doesn't wrap around before returning as int.
 
diff --git a/src/readelf.c b/src/readelf.c
index e9a356d..3c686d5 100644
--- a/src/readelf.c
+++ b/src/readelf.c
@@ -6357,8 +6357,8 @@ print_debug_line_section (Dwfl_Module *dwflmod, Ebl *ebl, 
GElf_Ehdr *ehdr,
        }
 
       /* Check whether we have enough room in the section.  */
-      if (unit_length < 2 + length + 5 * 1
-         || unlikely (linep + unit_length > lineendp))
+      if (unlikely (unit_length > (size_t) (lineendp - linep)
+         || unit_length < 2 + length + 5 * 1))
        goto invalid_data;
       lineendp = linep + unit_length;
 
-- 
1.8.3.1

Reply via email to