From: Mark Wielaard <mark@klomp.org>
Date: Wed, 13 Jun 2018 13:21:37 +0000 (+0200)
Subject: readelf: While printing .debug_loc make sure that next_off doesn't overflow.
X-Git-Tag: elfutils-0.173~19
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=6fbded3b73a1050e1efa410fc28a41fde29ed221;p=thirdparty%2Felfutils.git

readelf: While printing .debug_loc make sure that next_off doesn't overflow.

Found by the afl fuzzer. The next offset (after a locview) comes from a
DIE loclist attribute. This could be a bogus value so large it overflows
the buffer and makes us print past the end of buffer.

Signed-off-by: Mark Wielaard <mark@klomp.org>
---

diff --git a/src/ChangeLog b/src/ChangeLog
index 5f381cf8f..3d266e23d 100644
--- a/src/ChangeLog
+++ b/src/ChangeLog
@@ -1,3 +1,8 @@
+2018-06-16  Mark Wielaard  <mark@klomp.org>
+
+	* readelf.c (print_debug_loc_section): Make sure next_off doesn't
+	overflow d_buf.
+
 2018-06-13  Mark Wielaard  <mark@klomp.org>
 
 	* readelf.c (die_type_sign_bytes): New function.
diff --git a/src/readelf.c b/src/readelf.c
index c9efd795a..720d7f3fe 100644
--- a/src/readelf.c
+++ b/src/readelf.c
@@ -9310,7 +9310,9 @@ print_debug_loc_section (Dwfl_Module *dwflmod,
 						    listptr_idx);
 	  const unsigned char *locp = readp;
 	  const unsigned char *locendp;
-	  if (next_off == 0)
+	  if (next_off == 0
+	      || next_off > (size_t) (endp
+				      - (const unsigned char *) data->d_buf))
 	    locendp = endp;
 	  else
 	    locendp = (const unsigned char *) data->d_buf + next_off;