From: Mark Wielaard <mjw@redhat.com>
Date: Sun, 16 Nov 2014 10:40:08 +0000 (+0100)
Subject: readelf: Robustify print_cfa_program.
X-Git-Tag: elfutils-0.161~84
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=2af7b4942ad1e08d6e0609afec4edc82588f089e;p=thirdparty%2Felfutils.git

readelf: Robustify print_cfa_program.

Check block len before calling print_ops.

Signed-off-by: Mark Wielaard <mjw@redhat.com>
---

diff --git a/src/ChangeLog b/src/ChangeLog
index 756104173..fefd6c1d9 100644
--- a/src/ChangeLog
+++ b/src/ChangeLog
@@ -1,3 +1,8 @@
+2014-11-16  Mark Wielaard  <mjw@redhat.com>
+
+	* readelf.c (print_cfa_program): Check block len before calling
+	print_ops.
+
 2014-11-14  Mark Wielaard  <mjw@redhat.com>
 
 	* readelf.c (print_debug_frame_section): Sanity Check CIE
diff --git a/src/readelf.c b/src/readelf.c
index 065ee1c34..697a0e507 100644
--- a/src/readelf.c
+++ b/src/readelf.c
@@ -4980,6 +4980,12 @@ print_cfa_program (const unsigned char *readp, const unsigned char *const endp,
 	    // XXX overflow check
 	    get_uleb128 (op1, readp);	/* Length of DW_FORM_block.  */
 	    printf ("     def_cfa_expression %" PRIu64 "\n", op1);
+	    if ((uint64_t) (endp - readp) < op1)
+	      {
+	    invalid:
+	        fputs (gettext ("         <INVALID DATA>\n"), stdout);
+		return;
+	      }
 	    print_ops (dwflmod, dbg, 10, 10, version, ptr_size, 0, NULL,
 		       op1, readp);
 	    readp += op1;
@@ -4990,6 +4996,8 @@ print_cfa_program (const unsigned char *readp, const unsigned char *const endp,
 	    get_uleb128 (op2, readp);	/* Length of DW_FORM_block.  */
 	    printf ("     expression r%" PRIu64 " (%s) \n",
 		    op1, regname (op1));
+	    if ((uint64_t) (endp - readp) < op1)
+	      goto invalid;
 	    print_ops (dwflmod, dbg, 10, 10, version, ptr_size, 0, NULL,
 		       op2, readp);
 	    readp += op2;
@@ -5034,6 +5042,8 @@ print_cfa_program (const unsigned char *readp, const unsigned char *const endp,
 	    get_uleb128 (op2, readp);	/* Length of DW_FORM_block.  */
 	    printf ("     val_expression r%" PRIu64 " (%s)\n",
 		    op1, regname (op1));
+	    if ((uint64_t) (endp - readp) < op2)
+	      goto invalid;
 	    print_ops (dwflmod, dbg, 10, 10, version, ptr_size, 0,
 		       NULL, op2, readp);
 	    readp += op2;