Found by afl fuzzer on varlocs test. varlocs sanity checks that the
given offset in the opcode corresponds to the cuoffset of the returned
DIE. In case the opcode offset was bogus this might fail because we
might wrap around and return a random DIE instead of reporting an error.
Signed-off-by: Mark Wielaard <mark@klomp.org>
+2018-06-06 Mark Wielaard <mark@klomp.org>
+
+ * dwarf_getlocation_die.c (dwarf_getlocation_die): Check offset
+ falls inside cu data.
+
2018-06-05 Mark Wielaard <mark@klomp.org>
* dwarf_getsrclines.c (read_srclines): Explicitly set diridx to -1
case DW_OP_GNU_const_type:
case DW_OP_call2:
case DW_OP_call4:
+ if (op->number > (attr->cu->end - attr->cu->start))
+ {
+ invalid_offset:
+ __libdw_seterrno (DWARF_E_INVALID_OFFSET);
+ return -1;
+ }
dieoff = attr->cu->start + op->number;
break;
case DW_OP_GNU_regval_type:
case DW_OP_deref_type:
case DW_OP_GNU_deref_type:
+ if (op->number2 > (attr->cu->end - attr->cu->start))
+ goto invalid_offset;
dieoff = attr->cu->start + op->number2;
break;