Found with afl-fuzz. Signed-off-by: Mark Wielaard <[email protected]> --- libdw/ChangeLog | 5 +++++ libdw/dwarf_siblingof.c | 7 +++++++ 2 files changed, 12 insertions(+)
diff --git a/libdw/ChangeLog b/libdw/ChangeLog index bf64c2e..a04aa62 100644 --- a/libdw/ChangeLog +++ b/libdw/ChangeLog @@ -1,3 +1,8 @@ +2014-12-27 Mark Wielaard <[email protected]> + + * dwarf_siblingof.c (dwarf_siblingof): Check sibling attribute offset + still falls inside CU data. + 2014-12-24 Mark Wielaard <[email protected]> * dwarf_getsrc_die.c (dwarf_getsrc_die): Return the last line record diff --git a/libdw/dwarf_siblingof.c b/libdw/dwarf_siblingof.c index 27830ea..f8241b3 100644 --- a/libdw/dwarf_siblingof.c +++ b/libdw/dwarf_siblingof.c @@ -79,6 +79,13 @@ dwarf_siblingof (die, result) /* Something went wrong. */ return -1; + size_t size = sibattr.cu->endp - sibattr.cu->startp; + if (unlikely (offset >= size)) + { + __libdw_seterrno (DWARF_E_INVALID_DWARF); + return -1; + } + /* Compute the next address. */ addr = sibattr.cu->startp + offset; } -- 2.1.0
