From: Mark Wielaard <mark@klomp.org>
Date: Sat, 18 Aug 2018 11:27:48 +0000 (+0200)
Subject: libdw, readelf: Make sure there is enough data to read full aranges header.
X-Git-Tag: elfutils-0.174~15
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=29e31978ba51c1051743a503ee325b5ebc03d7e9;p=thirdparty%2Felfutils.git

libdw, readelf: Make sure there is enough data to read full aranges header.

dwarf_getaranges didn't check if there was enough data left to read both
the address and segment size. readelf didn't check there was enough data
left to read the segment size.

https://sourceware.org/bugzilla/show_bug.cgi?id=23541

Signed-off-by: Mark Wielaard <mark@klomp.org>
---

diff --git a/libdw/ChangeLog b/libdw/ChangeLog
index cb4f34ed7..472d92283 100644
--- a/libdw/ChangeLog
+++ b/libdw/ChangeLog
@@ -1,3 +1,8 @@
+2018-08-18  Mark Wielaard  <mark@klomp.org>
+
+	* dwarf_getaranges.c (dwarf_getaranges.c): Make sure there is enough
+	data to read the address and segment size.
+
 2018-07-04  Ross Burton <ross.burton@intel.com>
 
 	* libdw_alloc.c: Remove error.h include.
diff --git a/libdw/dwarf_getaranges.c b/libdw/dwarf_getaranges.c
index bff9c8602..de5b81baa 100644
--- a/libdw/dwarf_getaranges.c
+++ b/libdw/dwarf_getaranges.c
@@ -148,6 +148,10 @@ dwarf_getaranges (Dwarf *dbg, Dwarf_Aranges **aranges, size_t *naranges)
 				   length_bytes, &offset, IDX_debug_info, 4))
 	goto fail;
 
+      /* Next up two bytes for address and segment size.  */
+      if (readp + 2 > readendp)
+	goto invalid;
+
       unsigned int address_size = *readp++;
       if (unlikely (address_size != 4 && address_size != 8))
 	goto invalid;
diff --git a/src/ChangeLog b/src/ChangeLog
index 8c89f83d0..2f9f77475 100644
--- a/src/ChangeLog
+++ b/src/ChangeLog
@@ -1,3 +1,8 @@
+2018-08-18  Mark Wielaard  <mark@klomp.org>
+
+	* readelf.c (print_debug_aranges_section): Make sure there is enough
+	data to read the header segment size.
+
 2018-08-18  Mark Wielaard  <mark@klomp.org>
 
 	* elflint.c (check_sysv_hash): Calculate needed size using unsigned
diff --git a/src/readelf.c b/src/readelf.c
index 7b5707f87..7b488ac57 100644
--- a/src/readelf.c
+++ b/src/readelf.c
@@ -5447,6 +5447,8 @@ print_debug_aranges_section (Dwfl_Module *dwflmod __attribute__ ((unused)),
 	  goto next_table;
 	}
 
+      if (readp + 1 > readendp)
+	goto invalid_data;
       unsigned int segment_size = *readp++;
       printf (gettext (" Segment size:  %6" PRIu64 "\n\n"),
 	      (uint64_t) segment_size);