libdw: Handle bogus CU length in dwarf_nextcu.

The length field could be so big that it would wrap around the next_offset.
We don't really care that length is bogus, but we don't want to use it to
calculate the next offset if it is.

Found by afl-fuzz.

Signed-off-by: Mark Wielaard <mark@klomp.org>

diff --git a/libdw/ChangeLog b/libdw/ChangeLog
index 4280c55..11de763 100644 (file)
--- a/libdw/ChangeLog
+++ b/libdw/ChangeLog
@@ -1,3 +1,8 @@
+2018-06-22  Mark Wielaard  <mark@klomp.org>
+
+       * dwarf_nextcu.c (__libdw_next_unit): Set next_off to -1 when it would
+       wrap around.
+
 2018-06-18  Mark Wielaard  <mark@klomp.org>
 
        * dwarf_aggregate_size.c (array_size): New depth argument. Use

diff --git a/libdw/dwarf_nextcu.c b/libdw/dwarf_nextcu.c
index 4b394f3..be11327 100644 (file)
--- a/libdw/dwarf_nextcu.c
+++ b/libdw/dwarf_nextcu.c
@@ -278,6 +278,11 @@ __libdw_next_unit (Dwarf *dwarf, bool v4_debug_types, Dwarf_Off off,
      or with offset == 8: 2 * 8 - 4 == 12.  */
   *next_off = off + 2 * offset_size - 4 + length;
 
+  /* This means that the length field is bogus, but return the CU anyway.
+     We just won't return anything after this.  */
+  if (*next_off <= off)
+    *next_off = (Dwarf_Off) -1;
+
   return 0;
 }