From: Petr Machata <pmachata@redhat.com>
Date: Wed, 16 Mar 2011 23:10:56 +0000 (+0100)
Subject: dwarflint: Better validation of .debug_line table header length
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=29cc1c29f1b08403e8d7dc249130876f6b2752b6;p=thirdparty%2Felfutils.git

dwarflint: Better validation of .debug_line table header length
---

diff --git a/dwarflint/Makefile.am b/dwarflint/Makefile.am
index d9ef2ab2d..7c0a9b2f9 100644
--- a/dwarflint/Makefile.am
+++ b/dwarflint/Makefile.am
@@ -116,7 +116,21 @@ EXTRA_DIST = $(EXTRA_TESTS) \
 	tests/check_range_out_of_scope-1.bz2 \
 	tests/check_debug_info_refs-1.bz2 \
 	tests/aranges_terminate_early.bz2
-	tests/libdl-2.12.so.debug.bz2
+	tests/libdl-2.12.so.debug.bz2 \
+	tests/hello.bad-1.bz2 \
+	tests/hello.bad-3.bz2 \
+	tests/empty-1.bz2 \
+	tests/garbage-1.bz2 \
+	tests/garbage-2.bz2 \
+	tests/garbage-3.bz2 \
+	tests/garbage-4.bz2 \
+	tests/garbage-5.bz2 \
+	tests/garbage-6.bz2 \
+	tests/garbage-7.bz2 \
+	tests/garbage-8.bz2 \
+	tests/garbage-9.bz2 \
+	tests/garbage-10.bz2 \
+	tests/garbage-11.bz2
 
 installed_TESTS_ENVIRONMENT = libdir=$(DESTDIR)$(libdir) \
 			      bindir=$(DESTDIR)$(bindir) \
diff --git a/dwarflint/check_debug_line.cc b/dwarflint/check_debug_line.cc
index 7fa097acf..26fb5d033 100644
--- a/dwarflint/check_debug_line.cc
+++ b/dwarflint/check_debug_line.cc
@@ -204,7 +204,7 @@ check_debug_line::check_debug_line (checkstack &stack, dwarflint &lint)
 	  wr_error (where) << "can't read attribute value." << std::endl;
 	  goto skip;
 	}
-      const unsigned char *program_start = sub_ctx.ptr + header_length;
+      const unsigned char *header_start = sub_ctx.ptr;
 
       /* Minimum instruction length.  */
       uint8_t minimum_i_length;
@@ -349,8 +349,9 @@ check_debug_line::check_debug_line (checkstack &stack, dwarflint &lint)
 	      << "no CU uses this line table." << std::endl;
 	}
 
-      /* Skip the rest of the header.  */
-      if (sub_ctx.ptr > program_start)
+      const unsigned char *program_start = header_start + header_length;
+      if (header_length > (uint64_t)(sub_ctx.end - header_start)
+	  || sub_ctx.ptr > program_start)
 	{
 	  wr_error (where)
 	    << "header claims that it has a size of " << header_length
@@ -364,6 +365,7 @@ check_debug_line::check_debug_line (checkstack &stack, dwarflint &lint)
 	}
       else if (sub_ctx.ptr < program_start)
 	{
+	  /* Skip the rest of the header.  */
 	  struct where wh = WHERE (sec_line, NULL);
 	  uint64_t off_start, off_end;
 	  if (read_check_zero_padding (&sub_ctx, &off_start, &off_end))
diff --git a/dwarflint/highlevel_check.cc b/dwarflint/highlevel_check.cc
index 17c69244a..13f7d1dd5 100644
--- a/dwarflint/highlevel_check.cc
+++ b/dwarflint/highlevel_check.cc
@@ -117,7 +117,6 @@ namespace
 
   elfutils::dwarf
   open_hl_dwarf (Dwarf *dw)
-  {
     try
       {
 	return dw;
@@ -128,7 +127,6 @@ namespace
 	  << "Couldn't initialize high-level DWARF descriptor." << std::endl;
 	throw check_base::failed ();
       }
-  }
 }
 
 open_highlevel_dwarf::open_highlevel_dwarf (checkstack &stack, dwarflint &lint)
diff --git a/dwarflint/tests/garbage-11.bz2 b/dwarflint/tests/garbage-11.bz2
new file mode 100644
index 000000000..450e72cc3
Binary files /dev/null and b/dwarflint/tests/garbage-11.bz2 differ
diff --git a/dwarflint/tests/run-bad.sh b/dwarflint/tests/run-bad.sh
index bb2b92e09..46678f0f7 100755
--- a/dwarflint/tests/run-bad.sh
+++ b/dwarflint/tests/run-bad.sh
@@ -30,7 +30,7 @@ srcdir=$srcdir/tests
 testfiles hello.bad-1 hello.bad-3 empty-1 \
     garbage-1 garbage-2 garbage-3 garbage-4 \
     garbage-5 garbage-6 garbage-7 garbage-8 \
-    garbage-9 garbage-10
+    garbage-9 garbage-10 garbage-11
 
 testrun_compare ./dwarflint hello.bad-1 <<EOF
 error: .debug_info: DIE 0x83: abbrev section at 0x0 doesn't contain code 83.
@@ -104,3 +104,15 @@ testrun_compare ./dwarflint garbage-10 <<EOF
 warning: .rela.debug_info: offset 0xc: relocation formed using STT_SECTION symbol with non-zero value.
 error: .rela.debug_info: offset 0x11: couldn't obtain symbol #7208969: invalid section index.
 EOF
+
+testrun_compare ./dwarflint garbage-11 <<EOF
+error: .rela.debug_info: offset 0x600: invalid relocation 2560 (<INVALID RELOC>).
+error: .rela.debug_info: offset 0xc00: invalid relocation 2560 (<INVALID RELOC>).
+error: .rela.debug_info: offset 0x1100: invalid relocation 2560 (<INVALID RELOC>).
+error: .rela.debug_info: offset 0x1500: invalid relocation 256 (<INVALID RELOC>).
+error: .rela.debug_info: offset 0x1d00: invalid relocation 256 (<INVALID RELOC>).
+error: .rela.debug_info: offset 0x2500: invalid relocation 2560 (<INVALID RELOC>).
+error: .rela.debug_info: offset 0x3600: invalid relocation 256 (<INVALID RELOC>).
+error: .debug_line: table 0: header claims that it has a size of 542, but in fact it has a size of 30.
+error: .debug_info: DIE 0xb (abbr. attribute 0xa): unresolved reference to .debug_line table 0x0.
+EOF