PR22169, heap-based buffer overflow in read_1_byte

The .debug_line header length field doesn't include the length field
itself, ie. it's the size of the rest of .debug_line.

	PR 22169
	* dwarf2.c (decode_line_info): Correct .debug_line unit_length check.

diff --git a/bfd/ChangeLog b/bfd/ChangeLog
index 57f5ad3..f63a8bb 100644 (file)
--- a/bfd/ChangeLog
+++ b/bfd/ChangeLog
@@ -1,5 +1,10 @@
 2017-09-24  Alan Modra  <amodra@gmail.com>
 
+       PR 22169
+       * dwarf2.c (decode_line_info): Correct .debug_line unit_length check.
+
+2017-09-24  Alan Modra  <amodra@gmail.com>
+
        PR 22167
        * dwarf2.c (scan_unit_for_symbols): Check u.blk->data is non-NULL.
 

diff --git a/bfd/dwarf2.c b/bfd/dwarf2.c
index d1cf1aa..89a3f9b 100644 (file)
--- a/bfd/dwarf2.c
+++ b/bfd/dwarf2.c
@@ -2096,12 +2096,13 @@ decode_line_info (struct comp_unit *unit, struct dwarf2_debug *stash)
       offset_size = 8;
     }
 
-  if (unit->line_offset + lh.total_length > stash->dwarf_line_size)
+  if (lh.total_length > (size_t) (line_end - line_ptr))
     {
       _bfd_error_handler
        /* xgettext: c-format */
-       (_("Dwarf Error: Line info data is bigger (%#Lx) than the space remaining in the section (%#Lx)"),
-        lh.total_length, stash->dwarf_line_size - unit->line_offset);
+       (_("Dwarf Error: Line info data is bigger (%#Lx)"
+          " than the space remaining in the section (%#lx)"),
+        lh.total_length, (unsigned long) (line_end - line_ptr));
       bfd_set_error (bfd_error_bad_value);
       return NULL;
     }