From a5a89687681ca81e82681b56612495c0d087829e Mon Sep 17 00:00:00 2001
From: Roland McGrath <roland@redhat.com>
Date: Tue, 2 Aug 2005 01:24:01 +0000
Subject: [PATCH] 2005-08-01  Roland McGrath  <roland@redhat.com>

	* dwarf_getaranges.c (dwarf_getaranges): Check for bogus offset.
	* dwarf_getabbrev.c (__libdw_getabbrev): Likewise.
---
 libdw/ChangeLog          | 5 +++++
 libdw/dwarf_getabbrev.c  | 7 +++++++
 libdw/dwarf_getaranges.c | 9 +++++++++
 3 files changed, 21 insertions(+)

diff --git a/libdw/ChangeLog b/libdw/ChangeLog
index 85f12c4e9..d87cf11c8 100644
--- a/libdw/ChangeLog
+++ b/libdw/ChangeLog
@@ -1,3 +1,8 @@
+2005-08-01  Roland McGrath  <roland@redhat.com>
+
+	* dwarf_getaranges.c (dwarf_getaranges): Check for bogus offset.
+	* dwarf_getabbrev.c (__libdw_getabbrev): Likewise.
+
 2005-07-28  Ulrich Drepper  <drepper@redhat.com>
 
 	* Makefile.am (libdw.so): No need to link with libeu.a anymore.
diff --git a/libdw/dwarf_getabbrev.c b/libdw/dwarf_getabbrev.c
index a6968a834..ecac08593 100644
--- a/libdw/dwarf_getabbrev.c
+++ b/libdw/dwarf_getabbrev.c
@@ -34,8 +34,15 @@ __libdw_getabbrev (dbg, cu, offset, lengthp, result)
   if (dbg->sectiondata[IDX_debug_abbrev] == NULL)
     return NULL;
 
+  if (offset >= dbg->sectiondata[IDX_debug_abbrev]->d_size)
+    {
+      __libdw_seterrno (DWARF_E_INVALID_OFFSET);
+      return NULL;
+    }
+
   const unsigned char *abbrevp
     = (unsigned char *) dbg->sectiondata[IDX_debug_abbrev]->d_buf + offset;
+
   if (*abbrevp == '\0')
     /* We are past the last entry.  */
     return DWARF_END_ABBREV;
diff --git a/libdw/dwarf_getaranges.c b/libdw/dwarf_getaranges.c
index f7cf050f5..d51ddaeb5 100644
--- a/libdw/dwarf_getaranges.c
+++ b/libdw/dwarf_getaranges.c
@@ -106,6 +106,10 @@ dwarf_getaranges (dbg, aranges, naranges)
       else
 	offset = read_8ubyte_unaligned_inc (dbg, readp);
 
+      /* Sanity-check the offset.  */
+      if (offset + 4 > dbg->sectiondata[IDX_debug_info]->d_size)
+	goto invalid;
+
       unsigned int address_size = *readp++;
       if (address_size != 4 && address_size != 8)
 	goto invalid;
@@ -154,6 +158,11 @@ dwarf_getaranges (dbg, aranges, naranges)
 	    offset_size = 4;
 	  new_arange->arange.offset = offset + 3 * offset_size - 4 + 3;
 
+	  /* Sanity-check the data.  */
+	  if (new_arange->arange.offset
+	      >= dbg->sectiondata[IDX_debug_info]->d_size)
+	    goto invalid;
+
 	  new_arange->next = arangelist;
 	  arangelist = new_arange;
 	  ++narangelist;
-- 
2.47.2