diff options
| author | Nick Clifton <nickc@redhat.com> | 2015-02-10 17:13:31 +0000 |
|---|---|---|
| committer | Nick Clifton <nickc@redhat.com> | 2015-02-10 17:13:31 +0000 |
| commit | 03a91817f163986f10cb843f58e2f2cd9186e4f0 (patch) | |
| tree | 191b2434a366bef2d4e25cd84dacf420123da541 | |
| parent | 77ef86547510cee3a2bff27bea9f19f0b2715bae (diff) | |
| download | binutils-gdb-03a91817f163986f10cb843f58e2f2cd9186e4f0.tar.gz | |
Fixes for memory access violations triggered by running readelf on fuzzed binaries.
PR binutils/17531
* dwarf.c (process_debug_info): Zero the debug information array
since correct initialisation cannot be relied upon.
(process_cu_tu_index): Improve range checks.
| -rw-r--r-- | binutils/ChangeLog | 5 | ||||
| -rw-r--r-- | binutils/dwarf.c | 11 |
2 files changed, 14 insertions, 2 deletions
diff --git a/binutils/ChangeLog b/binutils/ChangeLog index 93cab7300cd..4befee323ac 100644 --- a/binutils/ChangeLog +++ b/binutils/ChangeLog @@ -17,6 +17,11 @@ li_prologue_length. (eh_addr_size): Update prototype. + PR binutils/17531 + * dwarf.c (process_debug_info): Zero the debug information array + since correct initialisation cannot be relied upon. + (process_cu_tu_index): Improve range checks. + 2015-02-09 Mark Wielaard <mjw@redhat.com> * dwarf.c (read_and_display_attr_value): Handle DW_LANG_Fortran03 diff --git a/binutils/dwarf.c b/binutils/dwarf.c index 9daf31579a5..426dca58a5e 100644 --- a/binutils/dwarf.c +++ b/binutils/dwarf.c @@ -2304,6 +2304,13 @@ process_debug_info (struct dwarf_section *section, alloc_num_debug_info_entries = num_debug_info_entries = 0; return 0; } + /* PR 17531: file: 92ca3797. + We cannot rely upon the debug_information array being initialised + before it is used. A corrupt file could easily contain references + to a unit for which information has not been made available. So + we ensure that the array is zeroed here. */ + memset (debug_information, 0, num_units * sizeof * debug_information); + alloc_num_debug_info_entries = num_units; } @@ -6913,7 +6920,7 @@ process_cu_tu_index (struct dwarf_section *section, int do_display) ppool = pindex + nslots * 4; /* PR 17531: file: 45d69832. */ - if (pindex < phash || ppool < phdr) + if (pindex < phash || ppool < phdr || (pindex == phash && nslots != 0)) { warn (_("Section %s is too small for %d slots\n"), section->name, nslots); @@ -6930,7 +6937,7 @@ process_cu_tu_index (struct dwarf_section *section, int do_display) printf (_(" Number of slots: %d\n\n"), nslots); } - if (ppool > limit) + if (ppool > limit || ppool < phdr) { warn (_("Section %s too small for %d hash table entries\n"), section->name, nslots); |