PR22169, heap-based buffer overflow in read_1_byte

The .debug_line header length field doesn't include the length field
itself, ie. it's the size of the rest of .debug_line.

	PR 22169
	* dwarf2.c (decode_line_info): Correct .debug_line unit_length check.

diff --git a/bfd/ChangeLog b/bfd/ChangeLog
index 57f5ad3b560cd6059cf33765c284a7e0a189478b..f63a8bb169442766b365be94c3d11e1afb7bfe96 100644 (file)
--- a/bfd/ChangeLog
+++ b/bfd/ChangeLog
@@ -1,3 +1,8 @@
+2017-09-24  Alan Modra  <amodra@gmail.com>
+
+       PR 22169
+       * dwarf2.c (decode_line_info): Correct .debug_line unit_length check.
+
 2017-09-24  Alan Modra  <amodra@gmail.com>
 
        PR 22167

diff --git a/bfd/dwarf2.c b/bfd/dwarf2.c
index d1cf1aa71fc6ff709282ca11f164e3b2ca9afce0..89a3f9b183019fb8d92ba59584b6fb1429d72d55 100644 (file)
--- a/bfd/dwarf2.c
+++ b/bfd/dwarf2.c
@@ -2096,12 +2096,13 @@ decode_line_info (struct comp_unit *unit, struct dwarf2_debug *stash)
       offset_size = 8;
     }
 
-  if (unit->line_offset + lh.total_length > stash->dwarf_line_size)
+  if (lh.total_length > (size_t) (line_end - line_ptr))
     {
       _bfd_error_handler
        /* xgettext: c-format */
-       (_("Dwarf Error: Line info data is bigger (%#Lx) than the space remaining in the section (%#Lx)"),
-        lh.total_length, stash->dwarf_line_size - unit->line_offset);
+       (_("Dwarf Error: Line info data is bigger (%#Lx)"
+          " than the space remaining in the section (%#lx)"),
+        lh.total_length, (unsigned long) (line_end - line_ptr));
       bfd_set_error (bfd_error_bad_value);
       return NULL;
     }