Found by the afl fuzzer. The next offset (after a locview) comes from a
DIE loclist attribute. This could be a bogus value so large it overflows
the buffer and makes us print past the end of buffer.
Signed-off-by: Mark Wielaard <m...@klomp.org>
---
 src/ChangeLog | 5 +++++
 src/readelf.c | 4 +++-
 2 files changed, 8 insertions(+), 1 deletion(-)

diff --git a/src/ChangeLog b/src/ChangeLog
index 5f381cf..3d266e2 100644
--- a/src/ChangeLog
+++ b/src/ChangeLog
@@ -1,3 +1,8 @@
+2018-06-16  Mark Wielaard  <m...@klomp.org>
+
+       * readelf.c (print_debug_loc_section): Make sure next_off doesn't
+       overflow d_buf.
+
 2018-06-13  Mark Wielaard  <m...@klomp.org>
 
        * readelf.c (die_type_sign_bytes): New function.
diff --git a/src/readelf.c b/src/readelf.c
index 5e7061d..2e7378e 100644
--- a/src/readelf.c
+++ b/src/readelf.c
@@ -9310,7 +9310,9 @@ print_debug_loc_section (Dwfl_Module *dwflmod,
                                                    listptr_idx);
          const unsigned char *locp = readp;
          const unsigned char *locendp;
-         if (next_off == 0)
+         if (next_off == 0
+             || next_off > (size_t) (endp
+                                     - (const unsigned char *) data->d_buf))
            locendp = endp;
          else
            locendp = (const unsigned char *) data->d_buf + next_off;
-- 
1.8.3.1

Reply via email to