From 29cc1c29f1b08403e8d7dc249130876f6b2752b6 Mon Sep 17 00:00:00 2001
From: Petr Machata <pmachata@redhat.com>
Date: Thu, 17 Mar 2011 00:10:56 +0100
Subject: [PATCH] dwarflint: Better validation of .debug_line table header
 length

---
 dwarflint/Makefile.am          |  16 +++++++++++++++-
 dwarflint/check_debug_line.cc  |   8 +++++---
 dwarflint/highlevel_check.cc   |   2 --
 dwarflint/tests/garbage-11.bz2 | Bin 0 -> 592 bytes
 dwarflint/tests/run-bad.sh     |  14 +++++++++++++-
 5 files changed, 33 insertions(+), 7 deletions(-)
 create mode 100644 dwarflint/tests/garbage-11.bz2

diff --git a/dwarflint/Makefile.am b/dwarflint/Makefile.am
index d9ef2ab2d..7c0a9b2f9 100644
--- a/dwarflint/Makefile.am
+++ b/dwarflint/Makefile.am
@@ -116,7 +116,21 @@ EXTRA_DIST = $(EXTRA_TESTS) \
 	tests/check_range_out_of_scope-1.bz2 \
 	tests/check_debug_info_refs-1.bz2 \
 	tests/aranges_terminate_early.bz2
-	tests/libdl-2.12.so.debug.bz2
+	tests/libdl-2.12.so.debug.bz2 \
+	tests/hello.bad-1.bz2 \
+	tests/hello.bad-3.bz2 \
+	tests/empty-1.bz2 \
+	tests/garbage-1.bz2 \
+	tests/garbage-2.bz2 \
+	tests/garbage-3.bz2 \
+	tests/garbage-4.bz2 \
+	tests/garbage-5.bz2 \
+	tests/garbage-6.bz2 \
+	tests/garbage-7.bz2 \
+	tests/garbage-8.bz2 \
+	tests/garbage-9.bz2 \
+	tests/garbage-10.bz2 \
+	tests/garbage-11.bz2
 
 installed_TESTS_ENVIRONMENT = libdir=$(DESTDIR)$(libdir) \
 			      bindir=$(DESTDIR)$(bindir) \
diff --git a/dwarflint/check_debug_line.cc b/dwarflint/check_debug_line.cc
index 7fa097acf..26fb5d033 100644
--- a/dwarflint/check_debug_line.cc
+++ b/dwarflint/check_debug_line.cc
@@ -204,7 +204,7 @@ check_debug_line::check_debug_line (checkstack &stack, dwarflint &lint)
 	  wr_error (where) << "can't read attribute value." << std::endl;
 	  goto skip;
 	}
-      const unsigned char *program_start = sub_ctx.ptr + header_length;
+      const unsigned char *header_start = sub_ctx.ptr;
 
       /* Minimum instruction length.  */
       uint8_t minimum_i_length;
@@ -349,8 +349,9 @@ check_debug_line::check_debug_line (checkstack &stack, dwarflint &lint)
 	      << "no CU uses this line table." << std::endl;
 	}
 
-      /* Skip the rest of the header.  */
-      if (sub_ctx.ptr > program_start)
+      const unsigned char *program_start = header_start + header_length;
+      if (header_length > (uint64_t)(sub_ctx.end - header_start)
+	  || sub_ctx.ptr > program_start)
 	{
 	  wr_error (where)
 	    << "header claims that it has a size of " << header_length
@@ -364,6 +365,7 @@ check_debug_line::check_debug_line (checkstack &stack, dwarflint &lint)
 	}
       else if (sub_ctx.ptr < program_start)
 	{
+	  /* Skip the rest of the header.  */
 	  struct where wh = WHERE (sec_line, NULL);
 	  uint64_t off_start, off_end;
 	  if (read_check_zero_padding (&sub_ctx, &off_start, &off_end))
diff --git a/dwarflint/highlevel_check.cc b/dwarflint/highlevel_check.cc
index 17c69244a..13f7d1dd5 100644
--- a/dwarflint/highlevel_check.cc
+++ b/dwarflint/highlevel_check.cc
@@ -117,7 +117,6 @@ namespace
 
   elfutils::dwarf
   open_hl_dwarf (Dwarf *dw)
-  {
     try
       {
 	return dw;
@@ -128,7 +127,6 @@ namespace
 	  << "Couldn't initialize high-level DWARF descriptor." << std::endl;
 	throw check_base::failed ();
       }
-  }
 }
 
 open_highlevel_dwarf::open_highlevel_dwarf (checkstack &stack, dwarflint &lint)
diff --git a/dwarflint/tests/garbage-11.bz2 b/dwarflint/tests/garbage-11.bz2
new file mode 100644
index 0000000000000000000000000000000000000000..450e72cc341db3e1d2cac14e303394f33cf87fd2
GIT binary patch
literal 592
zc-jF_0<Zl-T4*^jL0KkKS+<;?i2wox|C;~*{!3=(_kY{%62SlO-)Mk95I_JBAPB$#
z=M-wxH8K*L)XI5AW~t~wkTf!A05*^S007#alSYG6Q)+0QjVb9pA&>xK8f3%(05S|l
zAYvX!aM00{MvWS1WMnXaG5};6XaE6_G60bxhow){(8Vx=L5&DK4^jX$^#C*&2s9cR
z7g3tE_E@G6G7;3%a-)^0MKvfz=3n!60YHk3NlRgkVl_jhdgYrF-kqpsf*5qj)bsDH
zV6crC2}xyKWwa3W5J}40R(tm+Q%zX{^WC1FWuYQlaeE9YvP=nJ?#%4kLNPL?giv*~
zh|h$L1|(65ApAc22E(1909UUD!$jH&;skjbK@4mL#5OiNAp=Mu8AK3)0S^nXOLg?k
zk|z-e2#9^>#;cp%EfEF&rb0zxw&S62i9;7!nXW-cq&YW=0~@jVm}6@T73z#Esgo9F
zTnI9rU1a2HIr}2}3UKkr$zT^SI2%kZLJd|K3_Dj~HyL`7O=vl`eKJU?-K4HcXhC|k
z5=&6gaVGOO1(8zL$iMO)TOWkX=ppdxTY-S>0c<f;7BDN7k|=!4XUG|pZkaZZSunO2
z@BAt-ZDutCV81e2F-V&rX8V_9f89dNE`_T6q$qqLwqXFY?h-!B=w>}s3i%u~GQe4w
zBnCPupW~oPGgHQEa`+PTGJP2)hb~+}Rwb51k)tS`{*99t62zu7B1&mT3A{^?vynN3
e@QKJ1ib3!U9zCLHtzO0t@pmLsg$WC3$@q{Bj`|A#

literal 0
Hc-jL100001

diff --git a/dwarflint/tests/run-bad.sh b/dwarflint/tests/run-bad.sh
index bb2b92e09..46678f0f7 100755
--- a/dwarflint/tests/run-bad.sh
+++ b/dwarflint/tests/run-bad.sh
@@ -30,7 +30,7 @@ srcdir=$srcdir/tests
 testfiles hello.bad-1 hello.bad-3 empty-1 \
     garbage-1 garbage-2 garbage-3 garbage-4 \
     garbage-5 garbage-6 garbage-7 garbage-8 \
-    garbage-9 garbage-10
+    garbage-9 garbage-10 garbage-11
 
 testrun_compare ./dwarflint hello.bad-1 <<EOF
 error: .debug_info: DIE 0x83: abbrev section at 0x0 doesn't contain code 83.
@@ -104,3 +104,15 @@ testrun_compare ./dwarflint garbage-10 <<EOF
 warning: .rela.debug_info: offset 0xc: relocation formed using STT_SECTION symbol with non-zero value.
 error: .rela.debug_info: offset 0x11: couldn't obtain symbol #7208969: invalid section index.
 EOF
+
+testrun_compare ./dwarflint garbage-11 <<EOF
+error: .rela.debug_info: offset 0x600: invalid relocation 2560 (<INVALID RELOC>).
+error: .rela.debug_info: offset 0xc00: invalid relocation 2560 (<INVALID RELOC>).
+error: .rela.debug_info: offset 0x1100: invalid relocation 2560 (<INVALID RELOC>).
+error: .rela.debug_info: offset 0x1500: invalid relocation 256 (<INVALID RELOC>).
+error: .rela.debug_info: offset 0x1d00: invalid relocation 256 (<INVALID RELOC>).
+error: .rela.debug_info: offset 0x2500: invalid relocation 2560 (<INVALID RELOC>).
+error: .rela.debug_info: offset 0x3600: invalid relocation 256 (<INVALID RELOC>).
+error: .debug_line: table 0: header claims that it has a size of 542, but in fact it has a size of 30.
+error: .debug_info: DIE 0xb (abbr. attribute 0xa): unresolved reference to .debug_line table 0x0.
+EOF
-- 
2.47.3