From 19485196044b2521af979f1e5c4a89bfb90fba0b Mon Sep 17 00:00:00 2001 From: Nick Clifton Date: Wed, 27 Sep 2017 10:42:51 +0100 Subject: [PATCH] Prevent an infinite loop in the DWARF parsing code when encountering a CU structure with a small negative size. PR 22219 * dwarf.c (process_debug_info): Add a check for a negative cu_length field. Upstream-Status: Backport Affects: <= 2.29.1 CVE: CVE-2017-14934 Signed-off-by: Armin Kuster --- binutils/ChangeLog | 6 ++++++ binutils/dwarf.c | 11 ++++++++++- 2 files changed, 16 insertions(+), 1 deletion(-) Index: git/binutils/dwarf.c =================================================================== --- git.orig/binutils/dwarf.c +++ git/binutils/dwarf.c @@ -2547,7 +2547,7 @@ process_debug_info (struct dwarf_section int level, last_level, saved_level; dwarf_vma cu_offset; unsigned int offset_size; - int initial_length_size; + unsigned int initial_length_size; dwarf_vma signature_high = 0; dwarf_vma signature_low = 0; dwarf_vma type_offset = 0; @@ -2695,6 +2695,15 @@ process_debug_info (struct dwarf_section num_units = unit; break; } + else if (compunit.cu_length + initial_length_size < initial_length_size) + { + warn (_("Debug info is corrupted, length of CU at %s is negative (%s)\n"), + dwarf_vmatoa ("x", cu_offset), + dwarf_vmatoa ("x", compunit.cu_length)); + num_units = unit; + break; + } + tags = hdrptr; start += compunit.cu_length + initial_length_size; Index: git/binutils/ChangeLog =================================================================== --- git.orig/binutils/ChangeLog +++ git/binutils/ChangeLog @@ -1,3 +1,9 @@ +2017-09-27 Nick Clifton + + PR 22219 + * dwarf.c (process_debug_info): Add a check for a negative + cu_length field. + 2017-11-01 Alan Modra Apply from master