Don't overflow in __libdw_in_section and __libdw_offset_in_section.

This exposes a bug in dwarf_formstring as detected by the dwarf-getmacros
test before we made sure to use the correct sec_idx for the CU.

Signed-off-by: Ulf Hermann <ulf.hermann@qt.io>
Signed-off-by: Mark Wielaard <mark@klomp.org>

diff --git a/libdw/ChangeLog b/libdw/ChangeLog
index 22b7bf4dbb944a7f70b108904604f2a5b435c30b..eb1cb709e63ca217250b47aa4b834df779c63f1f 100644 (file)
--- a/libdw/ChangeLog
+++ b/libdw/ChangeLog
@@ -1,3 +1,10 @@
+2017-05-09  Ulf Hermann  <ulf.hermann@qt.io>
+           Mark Wielaard  <mark@klomp.org>
+
+       * libdwP.h (__libdw_in_section): Fix check for the upper border of
+       the range.
+       (__libdw_offset_in_section): Likewise.
+
 2017-12-20  Mark Wielaard  <mark@klomp.org>
 
        * libdwP.h (struct Dwarf_CU): Add sec_idx field.

diff --git a/libdw/libdwP.h b/libdw/libdwP.h
index f524347c7a87d50102e545fd22ec89fc45724600..82b47d09e1f1d87fcff75f9a9447a88fb0394eb6 100644 (file)
--- a/libdw/libdwP.h
+++ b/libdw/libdwP.h
@@ -628,7 +628,8 @@ __libdw_offset_in_section (Dwarf *dbg, int sec_index,
   if (data == NULL)
     return -1;
   if (unlikely (offset > data->d_size)
-      || unlikely (data->d_size - offset < size))
+      || unlikely (data->d_size < size)
+      || unlikely (offset > data->d_size - size))
     {
       __libdw_seterrno (DWARF_E_INVALID_OFFSET);
       return -1;
@@ -645,7 +646,8 @@ __libdw_in_section (Dwarf *dbg, int sec_index,
   if (data == NULL)
     return false;
   if (unlikely (addr < data->d_buf)
-      || unlikely (data->d_size - (addr - data->d_buf) < size))
+      || unlikely (data->d_size < size)
+      || unlikely ((size_t)(addr - data->d_buf) > data->d_size - size))
     {
       __libdw_seterrno (DWARF_E_INVALID_OFFSET);
       return false;