[Bug binutils/33638] New: objdump enters infinite warning-print loop on crafted input

Sun, 16 Nov 2025 17:26:45 -0800 

https://sourceware.org/bugzilla/show_bug.cgi?id=33638

            Bug ID: 33638
           Summary: objdump enters infinite warning-print loop on crafted
                    input
           Product: binutils
           Version: 2.44
            Status: UNCONFIRMED
          Severity: normal
          Priority: P2
         Component: binutils
          Assignee: unassigned at sourceware dot org
          Reporter: 970429025 at qq dot com
  Target Milestone: ---

Created attachment 16469
  --> https://sourceware.org/bugzilla/attachment.cgi?id=16469&action=edit
The PoC attachment contains the input file that triggers this behavior
(Infinite_Loop).

Overview:
Running objdump with a specific input causes the program to repeatedly print
the same warning message and never terminates.
The program does not progress beyond this state unless interrupted manually.

Steps to Reproduce:
./objdump --debugging-tags --ctf-parent libsystem.dylib Infinite_Loop

Actual Results:
objdump continuously prints the same warning:
Warning: The length field (0x20279) in the debug_rnglists header is wrong - the
section is too small.
This message repeats indefinitely.
The program does not exit and must be terminated manually (e.g., via Ctrl-C
inside gdb).

GDB output excerpt:
Program received signal SIGINT, Interrupt.
0x00007b7584bc0104 in __GI___libc_write (fd=2, buf=0x7ffe4a53c2b0, nbytes=92)
at ../sysdeps/unix/sysv/linux/write.c:27
27      ../sysdeps/unix/sysv/linux/write.c: No such file or directory.
(gdb) bt
#0  0x00007b7584bc0104 in __GI___libc_write (fd=2, buf=0x7ffe4a53c2b0,
nbytes=92) at ../sysdeps/unix/sysv/linux/write.c:27
#1  0x00007b7584b3b15d in _IO_new_file_write (f=0x7b7584e9c680
<_IO_2_1_stderr_>, data=0x7ffe4a53c2b0, n=92) at fileops.c:1203
#2  0x00007b7584b3bacf in new_do_write (to_do=<optimized out>,
    data=0x7ffe4a53c2b0 "The length field (0x20279) in the debug_rnglists
header is wrong - the section is too small\noclists section contains corrupt or
unsupported version number: 16733.\n", fp=0x7b7584e9c680 <_IO_2_1_stderr_>) at
fileops.c:457
#3  _IO_new_file_xsputn (f=0x7b7584e9c680 <_IO_2_1_stderr_>, data=<optimized
out>, n=92) at fileops.c:1277
#4  0x00007b7584b0e6c7 in buffered_vfprintf (s=s@entry=0x7b7584e9c680
<_IO_2_1_stderr_>,
    format=format@entry=0x78f389 "The length field (%#lx) in the debug_rnglists
header is wrong - the section is too small\n", args=args@entry=0x7ffe4a53e920)
at vfprintf.c:2350
#5  0x00007b7584b0b6f6 in _IO_vfprintf_internal (s=0x7b7584e9c680
<_IO_2_1_stderr_>,
    format=format@entry=0x78f389 "The length field (%#lx) in the debug_rnglists
header is wrong - the section is too small\n", ap=ap@entry=0x7ffe4a53e920) at
vfprintf.c:1301
#6  0x00000000004c9e1a in warn (message=0x78f389 "The length field (%#lx) in
the debug_rnglists header is wrong - the section is too small\n")
    at ../../binutils-2.44/binutils/elfcomm.c:62
#7  0x0000000000499bfc in display_debug_rnglists_unit_header
(section=section@entry=0xadf6b0 <debug_displays+2128>,
unit_offset=unit_offset@entry=0x7ffe4a53ea28,
    poffset_size=poffset_size@entry=0x7ffe4a53ea57 "\004\360\243F") at
../../binutils-2.44/binutils/dwarf.c:8281
#8  0x000000000046aa80 in display_debug_ranges (section=0x2,
section@entry=0xadf6b0 <debug_displays+2128>, file=file@entry=0x3c0943f0)
    at ../../binutils-2.44/binutils/dwarf.c:8458
#9  0x000000000043f9aa in dump_dwarf_section (abfd=abfd@entry=0x3c0943f0,
section=section@entry=0x3c097130, arg=arg@entry=0x7ffe4a53eb48)
    at ../../binutils-2.44/binutils/objdump.c:4499
#10 0x000000000055b5e4 in bfd_map_over_sections (abfd=abfd@entry=0x3c0943f0,
operation=0x43f6c0 <dump_dwarf_section>,
user_storage=user_storage@entry=0x7ffe4a53eb48)
    at ../../binutils-2.44/bfd/section.c:1391
#11 0x000000000043b2e1 in dump_dwarf (abfd=0x3c0943f0, is_mainfile=true) at
../../binutils-2.44/binutils/objdump.c:4537
#12 dump_bfd (abfd=abfd@entry=0x3c0943f0, is_mainfile=true) at
../../binutils-2.44/binutils/objdump.c:5818
#13 0x0000000000439724 in display_object_bfd (abfd=abfd@entry=0x3c0943f0) at
../../binutils-2.44/binutils/objdump.c:5855
#14 0x00000000004394f1 in display_any_bfd (file=file@entry=0x3c0943f0,
level=level@entry=0) at ../../binutils-2.44/binutils/objdump.c:5934
#15 0x000000000043767c in display_file (filename=0x7ffe4a540538
"Infinite_Loop", target=0x0) at ../../binutils-2.44/binutils/objdump.c:5955
#16 main (argc=<optimized out>, argv=<optimized out>) at
../../binutils-2.44/binutils/objdump.c:6364
(gdb)

Expected Results:
objdump should stop processing and report an error once the invalid data is
detected, instead of entering an infinite output loop.

Build & Platform:
binutils version: 2.44
component: objdump
OS: Ubuntu 18.04.6 LTS
arch: x86_64

Additional Information:
The PoC attachment contains the input file that triggers this behavior
(Infinite_Loop).
The program does not crash, but enters a non-terminating warning loop.
The issue is fully reproducible using the command above.

-- 
You are receiving this mail because:
You are on the CC list for the bug.

Reply via email to