f53b235000
Fix another seg-fault parsing corrupt DWARF information. (#1573367) Fix a seg-fault copying a corrupt ELF file. (#1551788) Fix a seg-fault parsing a large ELF files on a 32-bit host. (#1539891) Fix a seg-fault running nm on a corrupt ELF file. (#15343247) Fix a seg-fault running nm on a file containing corrupt DWARF information. (#1551781) Fix another seg-fault running nm on a file containing corrupt DWARF information. (#1551763)
38 lines
1.1 KiB
Diff
38 lines
1.1 KiB
Diff
--- binutils.orig/bfd/dwarf1.c 2018-05-01 13:04:35.060041875 +0100
|
|
+++ binutils-2.30/bfd/dwarf1.c 2018-05-01 13:24:17.943833855 +0100
|
|
@@ -213,6 +213,7 @@ parse_die (bfd * abfd,
|
|
/* Then the attributes. */
|
|
while (xptr + 2 <= aDiePtrEnd)
|
|
{
|
|
+ unsigned int block_len;
|
|
unsigned short attr;
|
|
|
|
/* Parse the attribute based on its form. This section
|
|
@@ -255,12 +256,24 @@ parse_die (bfd * abfd,
|
|
break;
|
|
case FORM_BLOCK2:
|
|
if (xptr + 2 <= aDiePtrEnd)
|
|
- xptr += bfd_get_16 (abfd, xptr);
|
|
+ {
|
|
+ block_len = bfd_get_16 (abfd, xptr);
|
|
+ if (xptr + block_len > aDiePtrEnd
|
|
+ || xptr + block_len < xptr)
|
|
+ return FALSE;
|
|
+ xptr += block_len;
|
|
+ }
|
|
xptr += 2;
|
|
break;
|
|
case FORM_BLOCK4:
|
|
if (xptr + 4 <= aDiePtrEnd)
|
|
- xptr += bfd_get_32 (abfd, xptr);
|
|
+ {
|
|
+ block_len = bfd_get_32 (abfd, xptr);
|
|
+ if (xptr + block_len > aDiePtrEnd
|
|
+ || xptr + block_len < xptr)
|
|
+ return FALSE;
|
|
+ xptr += block_len;
|
|
+ }
|
|
xptr += 4;
|
|
break;
|
|
case FORM_STRING:
|