https://sourceware.org/bugzilla/show_bug.cgi?id=23541
Mark Wielaard <mark at klomp dot org> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |mark at klomp dot org
--- Comment #1 from Mark Wielaard <mark at klomp dot org> ---
I couldn't replicate with the given reproducer.
But it is pretty clear that we forget to check there is enough data available
when reading the aranges header in dwarf_getaranges.c. In particular we forget
to check we can actually read the address and segment size bytes.
diff --git a/libdw/dwarf_getaranges.c b/libdw/dwarf_getaranges.c
index bff9c860..de5b81ba 100644
--- a/libdw/dwarf_getaranges.c
+++ b/libdw/dwarf_getaranges.c
@@ -148,6 +148,10 @@ dwarf_getaranges (Dwarf *dbg, Dwarf_Aranges **aranges,
size_t *naranges)
length_bytes, &offset, IDX_debug_info, 4))
goto fail;
+ /* Next up two bytes for address and segment size. */
+ if (readp + 2 > readendp)
+ goto invalid;
+
unsigned int address_size = *readp++;
if (unlikely (address_size != 4 && address_size != 8))
goto invalid;
While checking similar code in readelf.c I found we have a similar check
missing, but this time just for the segment size:
diff --git a/src/readelf.c b/src/readelf.c
index 7b5707f8..7b488ac5 100644
--- a/src/readelf.c
+++ b/src/readelf.c
@@ -5447,6 +5447,8 @@ print_debug_aranges_section (Dwfl_Module *dwflmod
__attribute__ ((unused)),
goto next_table;
}
+ if (readp + 1 > readendp)
+ goto invalid_data;
unsigned int segment_size = *readp++;
printf (gettext (" Segment size: %6" PRIu64 "\n\n"),
(uint64_t) segment_size);
It looks like all other checks are in place, but this code could probably
benefit from some extra fuzzing.
--
You are receiving this mail because:
You are on the CC list for the bug.
