Commit b3fe587e authored by Alan Modra's avatar Alan Modra
Browse files

PR25018, readelf crash on 32bits

Pointer comparisons after adding an offset just don't work to catch
overflow when the offset is a larger type than the pointer.

	PR 25018
	* dwarf.c (get_type_signedness): Delete ineffective pointer
	comparison check.  Properly range check uvalue offset on
	recursive call.
	(read_and_display_attr_value): Range check uvalue offset before
	calling get_type_signedness.
parent a13ba308
2019-09-23 Alan Modra <amodra@gmail.com>
PR 25018
* dwarf.c (get_type_signedness): Delete ineffective pointer
comparison check. Properly range check uvalue offset on
recursive call.
(read_and_display_attr_value): Range check uvalue offset before
calling get_type_signedness.
2019-09-20 Alan Modra <amodra@gmail.com>
* ar.c (write_archive): Use bfd_set_thin_archive.
......
......@@ -1999,9 +1999,6 @@ get_type_signedness (unsigned char * start,
* is_signed = FALSE;
if (data >= end)
return;
abbrev_number = read_uleb128 (data, & bytes_read, end);
data += bytes_read;
......@@ -2042,6 +2039,8 @@ get_type_signedness (unsigned char * start,
NB/ We need to avoid infinite recursion. */
return;
}
if (uvalue >= (size_t) (end - start))
return;
get_type_signedness (start, start + uvalue, end, pointer_size,
offset_size, dwarf_version, is_signed, TRUE);
break;
......@@ -2725,7 +2724,8 @@ read_and_display_attr_value (unsigned long attribute,
switch (attribute)
{
case DW_AT_type:
if (level >= 0 && level < MAX_CU_NESTING)
if (level >= 0 && level < MAX_CU_NESTING
&& uvalue < (size_t) (end - start))
{
bfd_boolean is_signed = FALSE;
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment