From 515f23e63c0074ab531bc954f84ca40c6281a724 Mon Sep 17 00:00:00 2001
From: Alan Modra <amodra@gmail.com>
Date: Sun, 24 Sep 2017 14:36:16 +0930
Subject: [PATCH] PR22169, heap-based buffer overflow in read_1_byte

The .debug_line header length field doesn't include the length field
itself, ie. it's the size of the rest of .debug_line.

	PR 22169
	* dwarf2.c (decode_line_info): Correct .debug_line unit_length check.

Upstream-Status: Backport
Affects: <= 2.29.1
CVE: CVE-2017-14939
Signed-off-by: Armin Kuster <akuster@mvista.com>

---
 bfd/ChangeLog | 5 +++++
 bfd/dwarf2.c  | 7 ++++---
 2 files changed, 9 insertions(+), 3 deletions(-)

Index: git/bfd/dwarf2.c
===================================================================
--- git.orig/bfd/dwarf2.c
+++ git/bfd/dwarf2.c
@@ -2084,12 +2084,13 @@ decode_line_info (struct comp_unit *unit
       offset_size = 8;
     }
 
-  if (unit->line_offset + lh.total_length > stash->dwarf_line_size)
+  if (lh.total_length > (size_t) (line_end - line_ptr))
     {
       _bfd_error_handler
 	/* xgettext: c-format */
-	(_("Dwarf Error: Line info data is bigger (%#Lx) than the space remaining in the section (%#Lx)"),
-	 lh.total_length, stash->dwarf_line_size - unit->line_offset);
+	(_("Dwarf Error: Line info data is bigger (%#Lx)"
+	   " than the space remaining in the section (%#lx)"),
+	 lh.total_length, (unsigned long) (line_end - line_ptr));
       bfd_set_error (bfd_error_bad_value);
       return NULL;
     }
Index: git/bfd/ChangeLog
===================================================================
--- git.orig/bfd/ChangeLog
+++ git/bfd/ChangeLog
@@ -1,4 +1,9 @@
 2017-09-24  Alan Modra  <amodra@gmail.com>
+ 
+       PR 22169
+       * dwarf2.c (decode_line_info): Correct .debug_line unit_length check.
+
+2017-09-24  Alan Modra  <amodra@gmail.com>
 
        PR 22166
        * elf.c (_bfd_elf_slurp_version_tables): Test sh_info on