More fixes for memory access errors when running readelf on fuzzed binaries.

	PR binutils/17531
	* dwarf.c (process_debug_info): Check for abbrev_base being larger
	than the section size.
	(process_cu_tu_index): Use xcalloc2 to allocate the CU and TU
	arrays.
	(xcalloc2): New function.  Like xcalloc, but checks for overflow.
	* dwarf.h (xcalloc2): Prototype.

diff --git a/binutils/ChangeLog b/binutils/ChangeLog
index 9458a84..75c29c8 100644 (file)
--- a/binutils/ChangeLog
+++ b/binutils/ChangeLog
@@ -1,3 +1,13 @@
+2015-01-12  Nick Clifton  <nickc@redhat.com>
+
+       PR binutils/17531
+       * dwarf.c (process_debug_info): Check for abbrev_base being larger
+       than the section size.
+       (process_cu_tu_index): Use xcalloc2 to allocate the CU and TU
+       arrays.
+       (xcalloc2): New function.  Like xcalloc, but checks for overflow.
+       * dwarf.h (xcalloc2): Prototype.
+
 2015-01-12  Alan Modra  <amodra@gmail.com>
 
        * prdbg.c (print_debugging_info): Don't use void* for function

diff --git a/binutils/dwarf.c b/binutils/dwarf.c
index 2500a49..19b4b44 100644 (file)
--- a/binutils/dwarf.c
+++ b/binutils/dwarf.c
@@ -2466,6 +2466,11 @@ process_debug_info (struct dwarf_section *section,
        warn (_("Debug info is corrupted, abbrev offset (%lx) is larger than abbrev section size (%lx)\n"),
              (unsigned long) compunit.cu_abbrev_offset,
              (unsigned long) abbrev_size);
+      /* PR 17531: file:4bcd9ce9.  */ 
+      else if (abbrev_base >= abbrev_size)
+       warn (_("Debug info is corrupted, abbrev base (%lx) is larger than abbrev section size (%lx)\n"),
+             (unsigned long) abbrev_base,
+             (unsigned long) abbrev_size);
       else
        process_abbrev_section
          (((unsigned char *) debug_displays [abbrev_sec].section.start
@@ -6832,7 +6837,7 @@ process_cu_tu_index (struct dwarf_section *section, int do_display)
   /* PR 17512: file: 002-376-0.004.  */
   if (section->size < 24)
     {
-      warn (_("Section %s is too small to contain a CU/TU header"),
+      warn (_("Section %s is too small to contain a CU/TU header\n"),
            section->name);
       return 0;
     }
@@ -6942,13 +6947,13 @@ process_cu_tu_index (struct dwarf_section *section, int do_display)
          if (is_tu_index)
            {
              tu_count = nused;
-             tu_sets = xcmalloc (nused, sizeof (struct cu_tu_set));
+             tu_sets = xcalloc2 (nused, sizeof (struct cu_tu_set));
              this_set = tu_sets;
            }
          else
            {
              cu_count = nused;
-             cu_sets = xcmalloc (nused, sizeof (struct cu_tu_set));
+             cu_sets = xcalloc2 (nused, sizeof (struct cu_tu_set));
              this_set = cu_sets;
            }
        }
@@ -7152,6 +7157,17 @@ cmalloc (size_t nmemb, size_t size)
   return xmalloc (nmemb * size);
 }
 
+/* Like xcalloc, but verifies that the first paramer is not too large.  */
+void *
+xcalloc2 (size_t nmemb, size_t size)
+{
+  /* Check for overflow.  */
+  if (nmemb >= ~(size_t) 0 / size)
+    return NULL;
+
+  return xcalloc (nmemb, size);
+}
+
 /* Like xmalloc, but takes two parameters.
    Note: does *not* initialise the allocated memory to zero.  */
 void *

diff --git a/binutils/dwarf.h b/binutils/dwarf.h
index e8a768e..54dcbc7 100644 (file)
--- a/binutils/dwarf.h
+++ b/binutils/dwarf.h
@@ -251,6 +251,7 @@ extern void dwarf_select_sections_all (void);
 extern unsigned int * find_cu_tu_set (void *, unsigned int);
 
 extern void * cmalloc (size_t, size_t);
+extern void * xcalloc2 (size_t, size_t);
 extern void * xcmalloc (size_t, size_t);
 extern void * xcrealloc (void *, size_t, size_t);