[PATCH] libdw: dwarf_getaranges check there is enough data before reading.

Tue, 05 May 2015 01:18:14 -0700 

https://bugzilla.redhat.com/show_bug.cgi?id=1170810#c30

Signed-off-by: Mark Wielaard <[email protected]>
---
 libdw/ChangeLog          |  5 +++++
 libdw/dwarf_getaranges.c | 14 +++++++++++++-
 2 files changed, 18 insertions(+), 1 deletion(-)

diff --git a/libdw/ChangeLog b/libdw/ChangeLog
index fd3e4ad..f5dfc8f 100644
--- a/libdw/ChangeLog
+++ b/libdw/ChangeLog
@@ -1,3 +1,8 @@
+2015-05-05  Mark Wielaard  <[email protected]>
+
+       * dwarf_getaranges.c (dwarf_getaranges): Check there is enough data
+       left before reading values.
+
 2015-05-04  Anthony G. Basile  <[email protected]>
 
        * Makefile.am (libdw_so_SOURCES): Append $(argp_LDADD) to link
diff --git a/libdw/dwarf_getaranges.c b/libdw/dwarf_getaranges.c
index 4953af5..c03e946 100644
--- a/libdw/dwarf_getaranges.c
+++ b/libdw/dwarf_getaranges.c
@@ -110,10 +110,16 @@ dwarf_getaranges (dbg, aranges, naranges)
 
         5. A 1-byte unsigned integer containing the size in bytes of
         a segment descriptor on the target system.  */
+      if (readp + 4 > readendp)
+       goto invalid;
+
       Dwarf_Word length = read_4ubyte_unaligned_inc (dbg, readp);
       unsigned int length_bytes = 4;
       if (length == DWARF3_LENGTH_64_BIT)
        {
+         if (readp + 8 > readendp)
+           goto invalid;
+
          length = read_8ubyte_unaligned_inc (dbg, readp);
          length_bytes = 8;
        }
@@ -121,6 +127,9 @@ dwarf_getaranges (dbg, aranges, naranges)
                         && length <= DWARF3_LENGTH_MAX_ESCAPE_CODE))
        goto invalid;
 
+      if (readp + 2 > readendp)
+       goto invalid;
+
       unsigned int version = read_2ubyte_unaligned_inc (dbg, readp);
       if (version != 2)
        {
@@ -136,7 +145,7 @@ dwarf_getaranges (dbg, aranges, naranges)
          return -1;
        }
 
-      Dwarf_Word offset;
+      Dwarf_Word offset = 0;
       if (__libdw_read_offset_inc (dbg,
                                   IDX_debug_aranges, &readp,
                                   length_bytes, &offset, IDX_debug_info, 4))
@@ -164,6 +173,9 @@ dwarf_getaranges (dbg, aranges, naranges)
                                        address_size, &range_address))
            goto fail;
 
+         if (readp + address_size > readendp)
+           goto invalid;
+
          if (address_size == 4)
            range_length = read_4ubyte_unaligned_inc (dbg, readp);
          else
-- 
2.1.0

Reply via email to