From ff1ce97525529bc4b68d0a48d0ae95a1f67f3779 Mon Sep 17 00:00:00 2001
From: Mark Wielaard <mjw@redhat.com>
Date: Tue, 16 Dec 2014 16:10:28 +0100
Subject: [PATCH] readelf,libdw: Correct .debug_line overflow check for
 unit_length.

Signed-off-by: Mark Wielaard <mjw@redhat.com>
---
 libdw/ChangeLog           | 5 +++++
 libdw/dwarf_getsrclines.c | 4 ++--
 src/ChangeLog             | 5 +++++
 src/readelf.c             | 4 ++--
 4 files changed, 14 insertions(+), 4 deletions(-)

diff --git a/libdw/ChangeLog b/libdw/ChangeLog
index f1f7b1d16..0592220d6 100644
--- a/libdw/ChangeLog
+++ b/libdw/ChangeLog
@@ -1,3 +1,8 @@
+2014-12-16  Mark Wielaard  <mjw@redhat.com>
+
+	* dwarf_getsrclines.c (read_srclines): Correct overflow check for
+	unit_length.
+
 2014-12-15  Mark Wielaard  <mjw@redhat.com>
 
 	* dwarf_getpubnames.c (get_offsets): Make sure whole unit fall inside
diff --git a/libdw/dwarf_getsrclines.c b/libdw/dwarf_getsrclines.c
index d50a17d52..d47794466 100644
--- a/libdw/dwarf_getsrclines.c
+++ b/libdw/dwarf_getsrclines.c
@@ -113,8 +113,8 @@ read_srclines (Dwarf *dbg,
     }
 
   /* Check whether we have enough room in the section.  */
-  if (unit_length < 2 + length + 5 * 1
-      || unlikely (linep + unit_length > lineendp))
+  if (unlikely (unit_length > (size_t) (lineendp - linep)
+      || unit_length < 2 + length + 5 * 1))
     goto invalid_data;
   lineendp = linep + unit_length;
 
diff --git a/src/ChangeLog b/src/ChangeLog
index f401c3539..112af1916 100644
--- a/src/ChangeLog
+++ b/src/ChangeLog
@@ -1,3 +1,8 @@
+2014-12-16  Mark Wielaard  <mjw@redhat.com>
+
+	* readelf.c (print_debug_line_section): Correct overflow check for
+	unit_length.
+
 2014-12-15  Mark Wielaard  <mjw@redhat.com>
 
 	* readelf.c (notice_listptr): Return false if offset doesn't fit
diff --git a/src/readelf.c b/src/readelf.c
index e9a356d1f..3c686d5c4 100644
--- a/src/readelf.c
+++ b/src/readelf.c
@@ -6357,8 +6357,8 @@ print_debug_line_section (Dwfl_Module *dwflmod, Ebl *ebl, GElf_Ehdr *ehdr,
 	}
 
       /* Check whether we have enough room in the section.  */
-      if (unit_length < 2 + length + 5 * 1
-	  || unlikely (linep + unit_length > lineendp))
+      if (unlikely (unit_length > (size_t) (lineendp - linep)
+	  || unit_length < 2 + length + 5 * 1))
 	goto invalid_data;
       lineendp = linep + unit_length;
 
-- 
2.47.3