From: Ulf Hermann <ulf.hermann@qt.io>
Date: Tue, 9 May 2017 16:28:33 +0000 (+0200)
Subject: Don't overflow in __libdw_in_section and __libdw_offset_in_section.
X-Git-Tag: elfutils-0.171~92
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=0d100f63db640c533748a7adaa099499b2d2d4b0;p=thirdparty%2Felfutils.git

Don't overflow in __libdw_in_section and __libdw_offset_in_section.

This exposes a bug in dwarf_formstring as detected by the dwarf-getmacros
test before we made sure to use the correct sec_idx for the CU.

Signed-off-by: Ulf Hermann <ulf.hermann@qt.io>
Signed-off-by: Mark Wielaard <mark@klomp.org>
---

diff --git a/libdw/ChangeLog b/libdw/ChangeLog
index 22b7bf4db..eb1cb709e 100644
--- a/libdw/ChangeLog
+++ b/libdw/ChangeLog
@@ -1,3 +1,10 @@
+2017-05-09  Ulf Hermann  <ulf.hermann@qt.io>
+	    Mark Wielaard  <mark@klomp.org>
+
+	* libdwP.h (__libdw_in_section): Fix check for the upper border of
+	the range.
+	(__libdw_offset_in_section): Likewise.
+
 2017-12-20  Mark Wielaard  <mark@klomp.org>
 
 	* libdwP.h (struct Dwarf_CU): Add sec_idx field.
diff --git a/libdw/libdwP.h b/libdw/libdwP.h
index f524347c7..82b47d09e 100644
--- a/libdw/libdwP.h
+++ b/libdw/libdwP.h
@@ -628,7 +628,8 @@ __libdw_offset_in_section (Dwarf *dbg, int sec_index,
   if (data == NULL)
     return -1;
   if (unlikely (offset > data->d_size)
-      || unlikely (data->d_size - offset < size))
+      || unlikely (data->d_size < size)
+      || unlikely (offset > data->d_size - size))
     {
       __libdw_seterrno (DWARF_E_INVALID_OFFSET);
       return -1;
@@ -645,7 +646,8 @@ __libdw_in_section (Dwarf *dbg, int sec_index,
   if (data == NULL)
     return false;
   if (unlikely (addr < data->d_buf)
-      || unlikely (data->d_size - (addr - data->d_buf) < size))
+      || unlikely (data->d_size < size)
+      || unlikely ((size_t)(addr - data->d_buf) > data->d_size - size))
     {
       __libdw_seterrno (DWARF_E_INVALID_OFFSET);
       return false;