blob: 9df8138401f732363b815a7e8466d123557d1102 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
|
From 30d0157a2ad64e64e5ff9fcc0dbe78a3e682f573 Mon Sep 17 00:00:00 2001
From: Nick Clifton <nickc@redhat.com>
Date: Tue, 26 Sep 2017 14:37:47 +0100
Subject: [PATCH] Avoid needless resource usage when processing a corrupt DWARF
directory or file name table.
PR 22210
* dwarf2.c (read_formatted_entries): Fail early if we know that
the loop parsing data entries will overflow the end of the
section.
Upstream-Status: Backport
Affects: <= 2.29.1
CVE: CVE-2017-14933 #1
Signed-off-by: Armin Kuster <akuster@mvista.com>
---
bfd/ChangeLog | 7 +++++++
bfd/dwarf2.c | 10 ++++++++++
2 files changed, 17 insertions(+)
Index: git/bfd/ChangeLog
===================================================================
--- git.orig/bfd/ChangeLog
+++ git/bfd/ChangeLog
@@ -1,3 +1,10 @@
+2017-09-26 Nick Clifton <nickc@redhat.com>
+
+ PR 22210
+ * dwarf2.c (read_formatted_entries): Fail early if we know that
+ the loop parsing data entries will overflow the end of the
+ section.
+
2017-09-26 Alan Modra <amodra@gmail.com>
PR 22204
Index: git/bfd/dwarf2.c
===================================================================
--- git.orig/bfd/dwarf2.c
+++ git/bfd/dwarf2.c
@@ -1933,6 +1933,17 @@ read_formatted_entries (struct comp_unit
data_count = _bfd_safe_read_leb128 (abfd, buf, &bytes_read, FALSE, buf_end);
buf += bytes_read;
+
+ /* PR 22210. Paranoia check. Don't bother running the loop
+ if we know that we are going to run out of buffer. */
+ if (data_count > (bfd_vma) (buf_end - buf))
+ {
+ _bfd_error_handler (_("Dwarf Error: data count (%Lx) larger than buffer size."),
+ data_count);
+ bfd_set_error (bfd_error_bad_value);
+ return FALSE;
+ }
+
for (datai = 0; datai < data_count; datai++)
{
bfd_byte *format = format_header_data;
|