From: Petr Machata Date: Wed, 9 Mar 2011 18:01:29 +0000 (-0800) Subject: Check for truncated section in dwarf_child. X-Git-Tag: elfutils-0.153~61 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=3587087df31ddd2b0d96af5fbc9c976be92e4ada;p=thirdparty%2Felfutils.git Check for truncated section in dwarf_child. --- diff --git a/libdw/ChangeLog b/libdw/ChangeLog index b0ba7e007..e31fabf9e 100644 --- a/libdw/ChangeLog +++ b/libdw/ChangeLog @@ -1,3 +1,7 @@ +2011-03-09 Petr Machata + + * libdw/dwarf_child.c (dwarf_child): Check for section overrun. + 2011-02-23 Roland McGrath * libdwP.h (struct Dwarf) [USE_ZLIB]: New member sectiondata_gzip_mask. diff --git a/libdw/dwarf_child.c b/libdw/dwarf_child.c index 0080cf9d9..1ec3704e4 100644 --- a/libdw/dwarf_child.c +++ b/libdw/dwarf_child.c @@ -1,5 +1,5 @@ /* Return child of current DIE. - Copyright (C) 2003, 2004, 2005, 2006, 2007, 2008 Red Hat, Inc. + Copyright (C) 2003-2011 Red Hat, Inc. This file is part of Red Hat elfutils. Written by Ulrich Drepper , 2003. @@ -175,18 +175,27 @@ dwarf_child (die, result) if (addr == NULL) return -1; + /* RESULT can be the same as DIE. So preserve what we need. */ + struct Dwarf_CU *cu = die->cu; + /* It's kosher (just suboptimal) to have a null entry first thing (7.5.3). So if this starts with ULEB128 of 0 (even with silly encoding of 0), it is a kosher null entry and we do not really have any children. */ const unsigned char *code = addr; - while (unlikely (*code == 0x80)) - ++code; + const unsigned char *endp = (cu->dbg->sectiondata[IDX_debug_info]->d_buf + + cu->dbg->sectiondata[IDX_debug_info]->d_size); + while (1) + { + if (unlikely (code >= endp)) /* Truncated section. */ + return 1; + if (unlikely (*code == 0x80)) + ++code; + else + break; + } if (unlikely (*code == '\0')) return 1; - /* RESULT can be the same as DIE. So preserve what we need. */ - struct Dwarf_CU *cu = die->cu; - /* Clear the entire DIE structure. This signals we have not yet determined any of the information. */ memset (result, '\0', sizeof (Dwarf_Die));