master

分支 (4)

标签 (2)

管理

管理

master

openEuler-20.03-LTS

openEuler1.0-base

openEuler1.0

openEuler-20.03-LTS-20200606

openEuler-20.03-LTS-tag

binutils
/
CVE-2019-17451.patch

From 7e030e9e32ad36334dd5ca6781f619f52095ceed Mon Sep 17 00:00:00 2001
From: Alan Modra <amodra@gmail.com>
Date: Wed, 9 Oct 2019 10:47:13 +1030
Subject: [PATCH 2/2] PR25070, SEGV in function _bfd_dwarf2_find_nearest_line

Evil testcase with two debug info sections, with sizes of 2aaaabac4ec1
and ffffd5555453b140 result in a total size of 1.  Reading the first
section of course overflows the buffer and tramples on other memory.

	PR 25070
	* dwarf2.c (_bfd_dwarf2_slurp_debug_info): Catch overflow of
	total_size calculation.
---
 bfd/dwarf2.c | 11 ++++++++++-
 1 file changed, 10 insertions(+), 1 deletion(-)

diff --git a/bfd/dwarf2.c b/bfd/dwarf2.c
index af312b30d5..26bfb25eb3 100644
--- a/bfd/dwarf2.c
+++ b/bfd/dwarf2.c
@@ -4424,7 +4424,16 @@ _bfd_dwarf2_slurp_debug_info (bfd *abfd, bfd *debug_bfd,
       for (total_size = 0;
 	   msec;
 	   msec = find_debug_info (debug_bfd, debug_sections, msec))
-	total_size += msec->size;
+	{
+	  /* Catch PR25070 testcase overflowing size calculation here.  */
+	  if (total_size + msec->size < total_size
+	      || total_size + msec->size < msec->size)
+	    {
+	      bfd_set_error (bfd_error_no_memory);
+	      return FALSE;
+	    }
+	  total_size += msec->size;
+	}

       stash->info_ptr_memory = (bfd_byte *) bfd_malloc (total_size);
       if (stash->info_ptr_memory == NULL)
--
2.19.1