PR24876, readelf: heap-buffer-overflow in dump_ia64_unwind

author Alan Modra <amodra@gmail.com>

Wed, 7 Aug 2019 02:20:28 +0000 (11:50 +0930)

committer Alan Modra <amodra@gmail.com>

Wed, 7 Aug 2019 02:30:06 +0000 (12:00 +0930)
author Alan Modra <amodra@gmail.com>
Wed, 7 Aug 2019 02:20:28 +0000 (11:50 +0930)
committer Alan Modra <amodra@gmail.com>
Wed, 7 Aug 2019 02:30:06 +0000 (12:00 +0930)
diff --git a/binutils/ChangeLog b/binutils/ChangeLog

index 411f835..f60d5ff 100644 (file)
--- a/binutils/ChangeLog
+++ b/binutils/ChangeLog
@@ -1,3 +1,9 @@
+2019-08-07  Alan Modra  <amodra@gmail.com>
+
+       PR 24876
+       * readelf.c (dump_ia64_unwind): Check that buffer is large
+       enough for "stamp" before reading.
+
  2019-08-05  Nick Clifton  <nickc@redhat.com>
  
         PR 24874
diff --git a/binutils/readelf.c b/binutils/readelf.c

index e785fde..5e18734 100644 (file)
--- a/binutils/readelf.c
+++ b/binutils/readelf.c
@@ -7574,7 +7574,8 @@ dump_ia64_unwind (Filedata * filedata, struct ia64_unw_aux_info * aux)
         }
        offset -= aux->info_addr;
        /* PR 17531: file: 0997b4d1.  */
-      if (offset >= aux->info_size)
+      if (offset >= aux->info_size
+         || aux->info_size - offset < 8)
         {
           warn (_("Invalid offset %lx in table entry %ld\n"),
                 (long) tp->info.offset, (long) (tp - aux->table));
author	Alan Modra <amodra@gmail.com>
	Wed, 7 Aug 2019 02:20:28 +0000 (11:50 +0930)
committer	Alan Modra <amodra@gmail.com>
	Wed, 7 Aug 2019 02:30:06 +0000 (12:00 +0930)
binutils/ChangeLog		patch \| blob \| history
binutils/readelf.c		patch \| blob \| history