The afl fuzzer found that the way we handle "too many" directories or files
in the (DWARF5 style) line table badly. In the case of eu-readelf we would
print an endless stream of "bad directory" or "bad file". Just stop printing
when the end of data is reached. In the case of dwarf_getsrclines we would
allocate a giant amount of memory, even if there was no data to actually
read in. Sanity check that the directory and file counts seem reasonable
compared to the amount of data left (assume we need at least 1 byte of
data per form describing the dirs or files).
Signed-off-by: Mark Wielaard <mark@klomp.org>
+2018-06-08 Mark Wielaard <mark@klomp.org>
+
+ * dwarf_getsrclines.c (read_srclines): Sanity check ndirs and nfiles.
+
2018-06-08 Mark Wielaard <mark@klomp.org>
* dwarf_getlocation_attr.c (addr_valp): Set error and return NULL
if (nforms == 0 && ndirs != 0)
goto invalid_data;
+
+ /* Assume there is at least 1 byte needed per form to describe
+ the directory. Filters out insanely large ndirs. */
+ if (nforms != 0 && ndirs > (size_t) (lineendp - linep) / nforms)
+ goto invalid_data;
}
/* Arrange the list in array form. */
if (nforms == 0 && nfiles != 0)
goto invalid_data;
+ /* Assume there is at least 1 byte needed per form to describe
+ the file. Filters out insanely large nfiles. */
+ if (nforms != 0 && nfiles > (size_t) (lineendp - linep) / nforms)
+ goto invalid_data;
+
Dwarf_Attribute attr;
attr.cu = &fake_cu;
for (unsigned int n = 0; n < nfiles; n++)
+2018-06-08 Mark Wielaard <mark@klomp.org>
+
+ * readelf.c (print_debug_line_section): Stop printing directories
+ and files when we are at the end of the unit data.
+
2018-06-07 Mark Wielaard <mark@klomp.org>
* readelf.c (format_result): Removed.
printf (", ");
}
printf ("\n");
+ if (linep >= lineendp)
+ goto invalid_unit;
}
}
else
printf (", ");
}
printf ("\n");
+ if (linep >= lineendp)
+ goto invalid_unit;
}
}
else
projects / thirdparty / elfutils.git / commitdiff
