diff options
| author | Mark Wielaard <mark@klomp.org> | 2018-10-16 14:22:33 +0200 |
|---|---|---|
| committer | Mark Wielaard <mark@klomp.org> | 2018-10-20 00:55:56 +0200 |
| commit | 72d023b35f3639864b61bd1c11aaadc4957e6286 (patch) | |
| tree | 83ffd43432d6e8ddd6afab496375bafa1951f060 | |
| parent | dce0b3b63ba05e2bebd4543ac9248cc0d48b2d2a (diff) | |
readelf: Make sure readp is smaller than cieend in print_debug_frame_section.
We could end up with a negative length in a call to memchr.
https://sourceware.org/bugzilla/show_bug.cgi?id=23782
Signed-off-by: Mark Wielaard <mark@klomp.org>
| -rw-r--r-- | src/readelf.c | 12 |
1 files changed, 10 insertions, 2 deletions
diff --git a/src/readelf.c b/src/readelf.c index 366e2c3d..dfbb3d0b 100644 --- a/src/readelf.c +++ b/src/readelf.c @@ -6598,18 +6598,24 @@ print_debug_frame_section (Dwfl_Module *dwflmod, Ebl *ebl, GElf_Ehdr *ehdr, ptrdiff_t start = readp - (unsigned char *) data->d_buf; const unsigned char *const cieend = readp + unit_length; - if (unlikely (cieend > dataend || readp + 8 > dataend)) + if (unlikely (cieend > dataend)) goto invalid_data; Dwarf_Off cie_id; if (length == 4) { + if (unlikely (cieend - readp < 4)) + goto invalid_data; cie_id = read_4ubyte_unaligned_inc (dbg, readp); if (!is_eh_frame && cie_id == DW_CIE_ID_32) cie_id = DW_CIE_ID_64; } else - cie_id = read_8ubyte_unaligned_inc (dbg, readp); + { + if (unlikely (cieend - readp < 8)) + goto invalid_data; + cie_id = read_8ubyte_unaligned_inc (dbg, readp); + } uint_fast8_t version = 2; unsigned int code_alignment_factor; @@ -6621,6 +6627,8 @@ print_debug_frame_section (Dwfl_Module *dwflmod, Ebl *ebl, GElf_Ehdr *ehdr, if (cie_id == (is_eh_frame ? 0 : DW_CIE_ID_64)) { + if (unlikely (cieend - readp < 2)) + goto invalid_data; version = *readp++; const char *const augmentation = (const char *) readp; readp = memchr (readp, '\0', cieend - readp); |