libdw: Make sure end of next cu doesn't overflow section data size.

An invalid or trucated debug info/type section could cause the cu endp
to point beyond the end of section data.

Signed-off-by: Mark Wielaard <mjw@redhat.com>

diff --git a/libdw/ChangeLog b/libdw/ChangeLog
index fb7b4e9407f257774a00f8aea0f2fb76437c0410..4d08412b92dabb481877e5e515aa057ab5d62036 100644 (file)
--- a/libdw/ChangeLog
+++ b/libdw/ChangeLog
@@ -1,3 +1,7 @@
+2014-12-11  Mark Wielaard  <mjw@redhat.com>
+
+       * libdw_findcu.c (__libdw_intern_next_unit): Sanity check offset.
+
 2014-12-13  Mark Wielaard  <mjw@redhat.com>
 
        * dwarf_getaranges.c (compare_aranges): Make sure Dwarf_Addr

diff --git a/libdw/libdw_findcu.c b/libdw/libdw_findcu.c
index 3c9633e2b863ea2f3f35eb7afe497f8378d90939..c783ff8a5340c6592a2cf9be5ae6e1c5d84d7d11 100644 (file)
--- a/libdw/libdw_findcu.c
+++ b/libdw/libdw_findcu.c
@@ -94,6 +94,12 @@ __libdw_intern_next_unit (dbg, debug_types)
       return NULL;
     }
 
+  /* Invalid or truncated debug section data?  */
+  Elf_Data *data = dbg->sectiondata[debug_types
+                                   ? IDX_debug_types : IDX_debug_info];
+  if (unlikely (*offsetp > data->d_size))
+    *offsetp = data->d_size;
+
   /* Create an entry for this CU.  */
   struct Dwarf_CU *newp = libdw_typed_alloc (dbg, struct Dwarf_CU);