Found by afl-fuzz. When printing a DWARF_FORM_block4 we checked there
were only 2 bytes available (copy/paste from DW_FORM_block2 right
before). Obviously we need at least 4 bytes to read the length of a
DW_FORM_block4.
Signed-off-by: Mark Wielaard <m...@klomp.org>
---
src/ChangeLog | 5 +++++
src/readelf.c | 2 +-
2 files changed, 6 insertions(+), 1 deletion(-)
diff --git a/src/ChangeLog b/src/ChangeLog
index fbbb9acb..5baf82e6 100644
--- a/src/ChangeLog
+++ b/src/ChangeLog
@@ -1,3 +1,8 @@
+2018-06-12 Mark Wielaard <m...@klomp.org>
+
+ * readelf.c (print_form_data): Check we have 4, not 2, bytes
+ available for DW_FORM_block4.
+
2018-06-12 Mark Wielaard <m...@klomp.org>
* print_form_data): Don't increase strreadp after use. Do
diff --git a/src/readelf.c b/src/readelf.c
index 17d91735..3b477ab0 100644
--- a/src/readelf.c
+++ b/src/readelf.c
@@ -7907,7 +7907,7 @@ print_form_data (Dwarf *dbg, int form, const unsigned
char *readp,
break;
case DW_FORM_block4:
- if (readendp - readp < 2)
+ if (readendp - readp < 4)
goto invalid_data;
val = read_4ubyte_unaligned_inc (dbg, readp);
if ((size_t) (readendp - readp) < val)
--
2.17.0
