main/binutils/CVE-2018-7568.patch


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41

X-Git-Url: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;a=blobdiff_plain;f=bfd%2Fdwarf1.c;h=f272ea831157dc16283774edb933492ca8d3cf48;hp=71bc57bfdf825092c3449ba8810b0efa7b54bb8b;hb=eef104664efb52965d85a28bc3fc7c77e52e48e2;hpb=0d329c0a83a23cebb86fbe0ebddd780dc0df2424

diff --git a/bfd/dwarf1.c b/bfd/dwarf1.c
index 71bc57b..f272ea8 100644
--- a/bfd/dwarf1.c
+++ b/bfd/dwarf1.c
@@ -213,6 +213,7 @@ parse_die (bfd *	     abfd,
   /* Then the attributes.  */
   while (xptr + 2 <= aDiePtrEnd)
     {
+      unsigned int   block_len;
       unsigned short attr;
 
       /* Parse the attribute based on its form.  This section
@@ -255,12 +256,24 @@ parse_die (bfd *	     abfd,
 	  break;
 	case FORM_BLOCK2:
 	  if (xptr + 2 <= aDiePtrEnd)
-	    xptr += bfd_get_16 (abfd, xptr);
+	    {
+	      block_len = bfd_get_16 (abfd, xptr);
+	      if (xptr + block_len > aDiePtrEnd
+		  || xptr + block_len < xptr)
+		return FALSE;
+	      xptr += block_len;
+	    }
 	  xptr += 2;
 	  break;
 	case FORM_BLOCK4:
 	  if (xptr + 4 <= aDiePtrEnd)
-	    xptr += bfd_get_32 (abfd, xptr);
+	    {
+	      block_len = bfd_get_32 (abfd, xptr);
+	      if (xptr + block_len > aDiePtrEnd
+		  || xptr + block_len < xptr)
+		return FALSE;
+	      xptr += block_len;
+	    }
 	  xptr += 4;
 	  break;
 	case FORM_STRING: