Found by the afl fuzzer. The next offset (after a locview) comes from a DIE loclist attribute. This could be a bogus value so large it overflows the buffer and makes us print past the end of buffer.
Signed-off-by: Mark Wielaard <m...@klomp.org> --- src/ChangeLog | 5 +++++ src/readelf.c | 4 +++- 2 files changed, 8 insertions(+), 1 deletion(-) diff --git a/src/ChangeLog b/src/ChangeLog index 5f381cf..3d266e2 100644 --- a/src/ChangeLog +++ b/src/ChangeLog @@ -1,3 +1,8 @@ +2018-06-16 Mark Wielaard <m...@klomp.org> + + * readelf.c (print_debug_loc_section): Make sure next_off doesn't + overflow d_buf. + 2018-06-13 Mark Wielaard <m...@klomp.org> * readelf.c (die_type_sign_bytes): New function. diff --git a/src/readelf.c b/src/readelf.c index 5e7061d..2e7378e 100644 --- a/src/readelf.c +++ b/src/readelf.c @@ -9310,7 +9310,9 @@ print_debug_loc_section (Dwfl_Module *dwflmod, listptr_idx); const unsigned char *locp = readp; const unsigned char *locendp; - if (next_off == 0) + if (next_off == 0 + || next_off > (size_t) (endp + - (const unsigned char *) data->d_buf)) locendp = endp; else locendp = (const unsigned char *) data->d_buf + next_off; -- 1.8.3.1