readelf: Check there are at least 4 bytes available for DWARF_FORM_block4.

Found by afl-fuzz. When printing a DWARF_FORM_block4 we checked there
were only 2 bytes available (copy/paste from DW_FORM_block2 right
before). Obviously we need at least 4 bytes to read the length of a
DW_FORM_block4.

Signed-off-by: Mark Wielaard <mark@klomp.org>

diff --git a/src/ChangeLog b/src/ChangeLog
index d401da2..805a1bf 100644 (file)
--- a/src/ChangeLog
+++ b/src/ChangeLog
@@ -1,5 +1,10 @@
 2018-06-12  Mark Wielaard  <mark@klomp.org>
 
+       * readelf.c (print_form_data): Check we have 4, not 2, bytes
+       available for DW_FORM_block4.
+
+2018-06-12  Mark Wielaard  <mark@klomp.org>
+
        * readelf.c (print_form_data): Don't increase strreadp after use.
        Do increase readp for DW_FORM_strx[1234].
 

diff --git a/src/readelf.c b/src/readelf.c
index a617380..2e7378e 100644 (file)
--- a/src/readelf.c
+++ b/src/readelf.c
@@ -7987,7 +7987,7 @@ print_form_data (Dwarf *dbg, int form, const unsigned char *readp,
       break;
 
     case DW_FORM_block4:
-      if (readendp - readp < 2)
+      if (readendp - readp < 4)
        goto invalid_data;
       val = read_4ubyte_unaligned_inc (dbg, readp);
       if ((size_t) (readendp - readp) < val)