From: Mark Wielaard <mjw@redhat.com>
Date: Wed, 27 May 2015 12:05:15 +0000 (+0200)
Subject: libdw: Fix overflow in read_encoded_value for the DW_EH_PE_indirect case.
X-Git-Tag: elfutils-0.162~30
X-Git-Url: http://review.tizen.org/git/?a=commitdiff_plain;h=1ae83ee85404b345150104148b50c60ebcb79398;p=platform%2Fupstream%2Felfutils.git

libdw: Fix overflow in read_encoded_value for the DW_EH_PE_indirect case.

If we are going to dereference a pointer there should be at least enough
data to hold a pointer. Found by afl-fuzz.

Signed-off-by: Mark Wielaard <mjw@redhat.com>
---

diff --git a/libdw/ChangeLog b/libdw/ChangeLog
index 2757093..aa4d09c 100644
--- a/libdw/ChangeLog
+++ b/libdw/ChangeLog
@@ -1,3 +1,8 @@
+2015-05-27  Mark Wielaard  <mjw@redhat.com>
+
+	* encoded-value.h (read_encoded_value): Check data d_size contains
+	at least enough data to hold a pointer for DW_EH_PE_indirect.
+
 2015-05-22  Mark Wielaard  <mjw@redhat.com>
 
 	* dwarf_getsrclines.c (read_srclines): Limit stack usage of lines
diff --git a/libdw/encoded-value.h b/libdw/encoded-value.h
index 0fa2018..48d868f 100644
--- a/libdw/encoded-value.h
+++ b/libdw/encoded-value.h
@@ -214,9 +214,10 @@ read_encoded_value (const Dwarf_CFI *cache, uint8_t encoding,
       if (unlikely (*result < cache->frame_vaddr))
 	return true;
       *result -= cache->frame_vaddr;
-      if (unlikely (*result > (cache->data->d.d_size
-			       - encoded_value_size (NULL, cache->e_ident,
-						     DW_EH_PE_absptr, NULL))))
+      size_t ptrsize = encoded_value_size (NULL, cache->e_ident,
+					   DW_EH_PE_absptr, NULL);
+      if (unlikely (cache->data->d.d_size < ptrsize
+		    || *result > (cache->data->d.d_size - ptrsize)))
 	return true;
       const uint8_t *ptr = cache->data->d.d_buf + *result;
       if (unlikely (__libdw_cfi_read_address_inc (cache, &ptr, 0, result)