From a1ea2423c0245d4a9f84523bcb5cb7cc96a27ec8 Mon Sep 17 00:00:00 2001
From: Mark Wielaard <mjw@redhat.com>
Date: Sun, 4 Jan 2015 16:08:22 +0100
Subject: [PATCH] libdw: Check register number in CFI isn't insanely large.

Some cfi.c array size allocation calculations might overflow when trying
to accommodate insanely large number of registers. Don't allow register
numbers larger than INT32_MAX / sizeof (dwarf_frame_register).

Found by afl-fuzz.

Signed-off-by: Mark Wielaard <mjw@redhat.com>
---
 libdw/ChangeLog |  5 +++++
 libdw/cfi.c     | 11 ++++++++++-
 2 files changed, 15 insertions(+), 1 deletion(-)

diff --git a/libdw/ChangeLog b/libdw/ChangeLog
index 6c8fe0f..b3093a1 100644
--- a/libdw/ChangeLog
+++ b/libdw/ChangeLog
@@ -1,3 +1,8 @@
+2015-01-04  Mark Wielaard  <mjw@redhat.com>
+
+	* cfi.c (enough_registers): Check reg < INT32_MAX / sizeof
+	(dwarf_frame_register).
+
 2015-01-02  Mark Wielaard  <mjw@redhat.com>
 
 	* dwarf_getcfi_elf.c (parse_eh_frame_hdr): Add size check.
diff --git a/libdw/cfi.c b/libdw/cfi.c
index 632e91d..5a6f956 100644
--- a/libdw/cfi.c
+++ b/libdw/cfi.c
@@ -1,5 +1,5 @@
 /* CFI program execution.
-   Copyright (C) 2009-2010, 2014 Red Hat, Inc.
+   Copyright (C) 2009-2010, 2014, 2015 Red Hat, Inc.
    This file is part of elfutils.
 
    This file is free software; you can redistribute it and/or modify
@@ -79,6 +79,15 @@ execute_cfi (Dwarf_CFI *cache,
   Dwarf_Frame *fs = *state;
   inline bool enough_registers (Dwarf_Word reg)
     {
+      /* Don't allow insanely large register numbers.  268435456 registers
+	 should be enough for anybody.  And very large values might overflow
+	 the array size and offsetof calculations below.  */
+      if (unlikely (reg >= INT32_MAX / sizeof (fs->regs[0])))
+	{
+	  result = DWARF_E_INVALID_CFI;
+	  return false;
+	}
+
       if (fs->nregs <= reg)
 	{
 	  size_t size = offsetof (Dwarf_Frame, regs[reg + 1]);
-- 
2.7.4