From eef104664efb52965d85a28bc3fc7c77e52e48e2 Mon Sep 17 00:00:00 2001 From: Nick Clifton Date: Wed, 28 Feb 2018 10:13:54 +0000 Subject: [PATCH] Fix potential integer overflow when reading corrupt dwarf1 debug information. PR 22894 * dwarf1.c (parse_die): Check the length of form blocks before advancing the data pointer. Upstream-Status: Backport Affects: <= 2.30 CVE: CVE-2018-7568 patch2 Signed-off-by: Armin Kuster --- bfd/ChangeLog | 6 ++++++ bfd/dwarf1.c | 17 +++++++++++++++-- 2 files changed, 21 insertions(+), 2 deletions(-) Index: git/bfd/dwarf1.c =================================================================== --- git.orig/bfd/dwarf1.c +++ git/bfd/dwarf1.c @@ -213,6 +213,7 @@ parse_die (bfd * abfd, /* Then the attributes. */ while (xptr + 2 <= aDiePtrEnd) { + unsigned int block_len; unsigned short attr; /* Parse the attribute based on its form. This section @@ -255,12 +256,24 @@ parse_die (bfd * abfd, break; case FORM_BLOCK2: if (xptr + 2 <= aDiePtrEnd) - xptr += bfd_get_16 (abfd, xptr); + { + block_len = bfd_get_16 (abfd, xptr); + if (xptr + block_len > aDiePtrEnd + || xptr + block_len < xptr) + return FALSE; + xptr += block_len; + } xptr += 2; break; case FORM_BLOCK4: if (xptr + 4 <= aDiePtrEnd) - xptr += bfd_get_32 (abfd, xptr); + { + block_len = bfd_get_32 (abfd, xptr); + if (xptr + block_len > aDiePtrEnd + || xptr + block_len < xptr) + return FALSE; + xptr += block_len; + } xptr += 4; break; case FORM_STRING: Index: git/bfd/ChangeLog =================================================================== --- git.orig/bfd/ChangeLog +++ git/bfd/ChangeLog @@ -1,3 +1,9 @@ +2018-02-28 Nick Clifton + + PR 22894 + * dwarf1.c (parse_die): Check the length of form blocks before + advancing the data pointer. + 2017-09-25 Alan Modra PR 22202