espressif/binutils-gdb
1
0
Fork 0
mirror of https://github.com/espressif/binutils-gdb.git synced 2025-06-23 03:29:47 +08:00
Code Issues Packages Projects Releases Wiki Activity

PR27849, heap-buffer-overflow on readelf -w

Browse Source 
PR 27849
	* dwarf.c (fetch_indexed_string): Correct length sanity checks.
	Sanity check section size for version and padding too.  Correct
	index sanity check.  Handle multiple tables in .debug_str_offsets.
This commit is contained in:
Alan Modra
2021-05-12 08:51:22 +09:30
parent 425b0b1a98
commit 5ab3907543
2 changed files with 31 additions and 8 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
binutils/ChangeLog
View File

@ -1,3 +1,10 @@
2021-05-12 Alan Modra <amodra@gmail.com>
PR 27849
* dwarf.c (fetch_indexed_string): Correct length sanity checks.
Sanity check section size for version and padding too. Correct
index sanity check. Handle multiple tables in .debug_str_offsets.
2021-05-11 Hans-Peter Nilsson <hp@axis.com> 2021-05-11 Hans-Peter Nilsson <hp@axis.com>
* dwarf.c (process_abbrev_set): Properly parenthesize before * dwarf.c (process_abbrev_set): Properly parenthesize before

32
binutils/dwarf.c
View File

@ -745,7 +745,7 @@ fetch_indexed_string (dwarf_vma idx, struct cu_tu_set *this_set,
dwarf_vma str_offset; dwarf_vma str_offset;
const char * ret; const char * ret;
unsigned char *curr = index_section->start; unsigned char *curr = index_section->start;
const unsigned char *end = curr + index_section->size; unsigned char *end = curr + index_section->size;
dwarf_vma length; dwarf_vma length;
if (index_section->start == NULL) if (index_section->start == NULL)
@ -780,16 +780,31 @@ fetch_indexed_string (dwarf_vma idx, struct cu_tu_set *this_set,
{ {
/* Skip the version and padding bytes. /* Skip the version and padding bytes.
We assume that they are correct. */ We assume that they are correct. */
curr += 4; if (end - curr >= 4)
curr += 4;
else
curr = end;
if (length >= 4)
length -= 4;
else
length = 0;
/* FIXME: The code below assumes that there is only one table if (this_set != NULL
in the .debug_str_offsets section, so check that now. */ && this_set->section_sizes[DW_SECT_STR_OFFSETS] < length)
if ((offset_size == 4 && curr + length < (end - 8)) length = this_set->section_sizes[DW_SECT_STR_OFFSETS];
|| (offset_size == 8 && curr + length < (end - 16)))
if (length > (dwarf_vma) (end - curr))
{ {
warn (_("index table size is too small %s vs %s\n"), warn (_("index table size too large for section %s vs %s\n"),
dwarf_vmatoa ("x", length), dwarf_vmatoa ("x", length),
dwarf_vmatoa ("x", index_section->size)); dwarf_vmatoa ("x", index_section->size));
length = end - curr;
}
if (length < offset_size)
{
warn (_("index table size %s is too small\n"),
dwarf_vmatoa ("x", length));
return _("<table too small>"); return _("<table too small>");
} }
} }
@ -799,7 +814,8 @@ fetch_indexed_string (dwarf_vma idx, struct cu_tu_set *this_set,
if (this_set != NULL) if (this_set != NULL)
index_offset += this_set->section_offsets [DW_SECT_STR_OFFSETS]; index_offset += this_set->section_offsets [DW_SECT_STR_OFFSETS];
if (index_offset >= length) if (index_offset >= length
|| length - index_offset < offset_size)
{ {
warn (_("DW_FORM_GNU_str_index offset too big: 0x%s vs 0x%s\n"), warn (_("DW_FORM_GNU_str_index offset too big: 0x%s vs 0x%s\n"),
dwarf_vmatoa ("x", index_offset), dwarf_vmatoa ("x", index_offset),