Fix potential illegal memory accesses when parsing corrupt DWARF data.

	PR 29914
	* dwarf.c (fetch_indexed_value): Fail if the section is not big
	enough to contain a header size field.
	(display_debug_addr): Fail if the computed address size is too big
	or too small.

diff --git a/binutils/ChangeLog b/binutils/ChangeLog
index 16bddf73c07e57530e091ab903627e852cabd699..6bd121e82ae0e69d76966564f9af9f0ea29068b3 100644 (file)
--- a/binutils/ChangeLog
+++ b/binutils/ChangeLog
@@ -1,3 +1,11 @@
+2022-12-19  Nick Clifton  <nickc@redhat.com>
+
+       PR 29914
+       * dwarf.c (fetch_indexed_value): Fail if the section is not big
+       enough to contain a header size field.
+       (display_debug_addr): Fail if the computed address size is too big
+       or too small.
+
 2022-12-16  Nick Clifton  <nickc@redhat.com>
 
        PR 29908

diff --git a/binutils/dwarf.c b/binutils/dwarf.c
index 03b36afcec07bebd5b9527c6e5841068e5f5e051..b792902c496b5849802b61243c0d93a68270740b 100644 (file)
--- a/binutils/dwarf.c
+++ b/binutils/dwarf.c
@@ -739,6 +739,13 @@ fetch_indexed_value (uint64_t idx,
       return -1;
     }
 
+  if (section->size < 4)
+    {
+      warn (_("Section %s is too small to contain an value indexed from another section!\n"),
+           section->name);
+      return -1;
+    }
+
   uint32_t pointer_size, bias;
 
   if (byte_get (section->start, 4) == 0xffffffff)
@@ -7770,6 +7777,13 @@ display_debug_addr (struct dwarf_section *section,
       header = end;
       idx = 0;
 
+      if (address_size < 1 || address_size > sizeof (uint64_t))
+       {
+         warn (_("Corrupt %s section: address size (%x) is wrong"),
+               section->name, address_size);
+         return 0;
+       }
+
       while ((size_t) (end - entry) >= address_size)
        {
          uint64_t base = byte_get (entry, address_size);