From: Mark Wielaard <mark@klomp.org>
Date: Tue, 12 Jun 2018 12:36:50 +0000 (+0200)
Subject: readelf: Check there are at least 4 bytes available for DWARF_FORM_block4.
X-Git-Tag: elfutils-0.173~16
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=58ed0e647f1012f8b75eda47967d849aeb619ec2;p=thirdparty%2Felfutils.git

readelf: Check there are at least 4 bytes available for DWARF_FORM_block4.

Found by afl-fuzz. When printing a DWARF_FORM_block4 we checked there
were only 2 bytes available (copy/paste from DW_FORM_block2 right
before). Obviously we need at least 4 bytes to read the length of a
DW_FORM_block4.

Signed-off-by: Mark Wielaard <mark@klomp.org>
---

diff --git a/src/ChangeLog b/src/ChangeLog
index d401da27d..805a1bf04 100644
--- a/src/ChangeLog
+++ b/src/ChangeLog
@@ -1,3 +1,8 @@
+2018-06-12  Mark Wielaard  <mark@klomp.org>
+
+	* readelf.c (print_form_data): Check we have 4, not 2, bytes
+	available for DW_FORM_block4.
+
 2018-06-12  Mark Wielaard  <mark@klomp.org>
 
 	* readelf.c (print_form_data): Don't increase strreadp after use.
diff --git a/src/readelf.c b/src/readelf.c
index a6173806c..2e7378e20 100644
--- a/src/readelf.c
+++ b/src/readelf.c
@@ -7987,7 +7987,7 @@ print_form_data (Dwarf *dbg, int form, const unsigned char *readp,
       break;
 
     case DW_FORM_block4:
-      if (readendp - readp < 2)
+      if (readendp - readp < 4)
 	goto invalid_data;
       val = read_4ubyte_unaligned_inc (dbg, readp);
       if ((size_t) (readendp - readp) < val)