Prevent an infinite loop in the DWARF parsing code when encountering a CU structure...

	PR 22219
	* dwarf.c (process_debug_info): Add a check for a negative
	cu_length field.

diff --git a/binutils/ChangeLog b/binutils/ChangeLog
index a4de14c..333ad86 100644 (file)
--- a/binutils/ChangeLog
+++ b/binutils/ChangeLog
@@ -1,3 +1,9 @@
+2017-09-27  Nick Clifton  <nickc@redhat.com>
+
+       PR 22219
+       * dwarf.c (process_debug_info): Add a check for a negative
+       cu_length field.
+
 2017-09-27  Alan Modra  <amodra@gmail.com>
 
        PR 22216

diff --git a/binutils/dwarf.c b/binutils/dwarf.c
index edc65aa..7ded1bf 100644 (file)
--- a/binutils/dwarf.c
+++ b/binutils/dwarf.c
@@ -2591,7 +2591,7 @@ process_debug_info (struct dwarf_section *section,
       int level, last_level, saved_level;
       dwarf_vma cu_offset;
       unsigned int offset_size;
-      int initial_length_size;
+      unsigned int initial_length_size;
       dwarf_vma signature_high = 0;
       dwarf_vma signature_low = 0;
       dwarf_vma type_offset = 0;
@@ -2739,6 +2739,15 @@ process_debug_info (struct dwarf_section *section,
          num_units = unit;
          break;
        }
+      else if (compunit.cu_length + initial_length_size < initial_length_size)
+       {
+         warn (_("Debug info is corrupted, length of CU at %s is negative (%s)\n"),
+               dwarf_vmatoa ("x", cu_offset),
+               dwarf_vmatoa ("x", compunit.cu_length));
+         num_units = unit;
+         break;
+       }
+
       tags = hdrptr;
       start += compunit.cu_length + initial_length_size;