Fix potential illegal memory accesses when parsing corrupt DWARF data.

PR 29914 * dwarf.c (fetch_indexed_value): Fail if the section is not big enough to contain a header size field. (display_debug_addr): Fail if the computed address size is too big or too small.
tromey · Dec 19, 2022 · 42f39fd · 42f39fd
1 parent d14b3ea
commit 42f39fd
Show file tree

Hide file tree

Showing 2 changed files with 22 additions and 0 deletions.
diff --git a/binutils/ChangeLog b/binutils/ChangeLog
@@ -1,3 +1,11 @@
+2022-12-19  Nick Clifton  <nickc@redhat.com>
+
+	PR 29914
+	* dwarf.c (fetch_indexed_value): Fail if the section is not big
+	enough to contain a header size field.
+	(display_debug_addr): Fail if the computed address size is too big
+	or too small.
+
 2022-12-16  Nick Clifton  <nickc@redhat.com>
 
 	PR 29908

diff --git a/binutils/dwarf.c b/binutils/dwarf.c
@@ -739,6 +739,13 @@ fetch_indexed_value (uint64_t idx,
       return -1;
     }
 
+  if (section->size < 4)
+    {
+      warn (_("Section %s is too small to contain an value indexed from another section!\n"),
+	    section->name);
+      return -1;
+    }
+
   uint32_t pointer_size, bias;
 
   if (byte_get (section->start, 4) == 0xffffffff)
@@ -7770,6 +7777,13 @@ display_debug_addr (struct dwarf_section *section,
       header = end;
       idx = 0;
 
+      if (address_size < 1 || address_size > sizeof (uint64_t))
+	{
+	  warn (_("Corrupt %s section: address size (%x) is wrong"),
+		section->name, address_size);
+	  return 0;
+	}
+
       while ((size_t) (end - entry) >= address_size)
 	{
 	  uint64_t base = byte_get (entry, address_size);