Fix an illegal memory access triggered by an attempt to parse a corrupt input file.

PR 28046 * dwarf2.c (read_ranges): Check that range_ptr does not exceed range_end.
2025-02-17 13:10:12 +08:00 · 2021-07-02 14:56:36 +01:00 · 2021-07-02 14:56:36 +01:00 · 49910fd88d
commit 49910fd88d
parent 4ff0bb2df5
2 changed files with 10 additions and 1 deletions
--- a/bfd/ChangeLog
+++ b/bfd/ChangeLog
@ -1,3 +1,9 @@
+2021-07-02  Nick Clifton  <nickc@redhat.com>
+
+	PR 28046
+	* dwarf2.c (read_ranges): Check that range_ptr does not exceed
+	range_end.
+
 2021-06-30  YunQiang Su  <yunqiang.su@cipunited.com>

 	PR mips/28009
--- a/bfd/dwarf2.c
+++ b/bfd/dwarf2.c
@ -909,7 +909,8 @@ read_address (struct comp_unit *unit, bfd_byte **ptr, bfd_byte *buf_end)
  if (bfd_get_flavour (unit->abfd) == bfd_target_elf_flavour)
    signed_vma = get_elf_backend_data (unit->abfd)->sign_extend_vma;

-  if (unit->addr_size > (size_t) (buf_end - buf))
+  if (unit->addr_size > (size_t) (buf_end - buf)
+      || (buf > buf_end))
    {
      *ptr = buf_end;
      return 0;
@ -3097,6 +3098,8 @@ read_ranges (struct comp_unit *unit, struct arange *arange,
  if (ranges_ptr < unit->file->dwarf_ranges_buffer)
    return false;
  ranges_end = unit->file->dwarf_ranges_buffer + unit->file->dwarf_ranges_size;
+  if (ranges_ptr >= ranges_end)
+    return false;

  for (;;)
    {