PR27853, Infinite loop in dwarf.c

Not quite infinite but much longer than it need be. The problem is triggered by read_and_display_attr_value incrementing "data" past "end". read_and_display_attr_value shouldn't do that, but be defensive. PR 27853 * dwarf.c (display_formatted_table): Test for data >= end rather than data == end. (process_extended_line_op): Likewise. (display_debug_lines_raw): Likewise. (display_debug_lines_decoded): Likewise.
author: Alan Modra <amodra@gmail.com> 2021-05-12 15:11:43 +0930
committer: Alan Modra <amodra@gmail.com> 2021-05-12 15:41:10 +0930
commit: 55b26492bbd05637f24b9b70a507e842e466b723 (patch)
tree: 2941b78c943f601f7b0b23b22fb9d572bfe886f6 /binutils
parent: 5ab3907543816d62a8dfd0f7f342ae66814bb0eb (diff)
2 files changed, 21 insertions, 12 deletions
diff --git a/binutils/ChangeLog b/binutils/ChangeLog
index 9e0611ea9f..be50b3142a 100644
--- a/binutils/ChangeLog
+++ b/binutils/ChangeLog
@@ -1,5 +1,14 @@
 2021-05-12  Alan Modra  <amodra@gmail.com>
 
+	PR 27853
+	* dwarf.c (display_formatted_table): Test for data >= end rather
+	than data == end.
+	(process_extended_line_op): Likewise.
+	(display_debug_lines_raw): Likewise.
+	(display_debug_lines_decoded): Likewise.
+
+2021-05-12  Alan Modra  <amodra@gmail.com>
+
 	PR 27849
 	* dwarf.c (fetch_indexed_string): Correct length sanity checks.
 	Sanity check section size for version and padding too.  Correct
diff --git a/binutils/dwarf.c b/binutils/dwarf.c
index 336a3d5839..896035ccde 100644
--- a/binutils/dwarf.c
+++ b/binutils/dwarf.c
@@ -521,7 +521,7 @@ process_extended_line_op (unsigned char * data,
   READ_ULEB (len, data, end);
   header_len = data - orig_data;
 
-  if (len == 0 || data == end || len > (size_t) (end - data))
+  if (len == 0 || data >= end || len > (size_t) (end - data))
     {
       warn (_("Badly formed extended line op encountered!\n"));
       return header_len;
@@ -574,7 +574,7 @@ process_extended_line_op (unsigned char * data,
 	printf ("%.*s\n\n", (int) l, name);
       }
 
-      if (((size_t) (data - orig_data) != len + header_len) || data == end)
+      if (((size_t) (data - orig_data) != len + header_len) || data >= end)
 	warn (_("DW_LNE_define_file: Bad opcode length\n"));
       break;
 
@@ -4327,7 +4327,7 @@ display_formatted_table (unsigned char *data,
     {
       SKIP_ULEB (data, end);
       SKIP_ULEB (data, end);
-      if (data == end)
+      if (data >= end)
 	{
 	  warn (_("%s: Corrupt format description entry\n"), table_name);
 	  return data;
@@ -4340,7 +4340,7 @@ display_formatted_table (unsigned char *data,
       printf (_("\n The %s is empty.\n"), table_name);
       return data;
     }
-  else if (data == end)
+  else if (data >= end)
     {
       warn (_("%s: Corrupt entry count - expected %s but none found\n"),
 	    table_name, dwarf_vmatoa ("x", data_count));
@@ -4419,7 +4419,7 @@ display_formatted_table (unsigned char *data,
 	    }
 	}
 
-      if (data == end && (datai < data_count - 1))
+      if (data >= end && (datai < data_count - 1))
 	{
 	  warn (_("\n%s: Corrupt entries list\n"), table_name);
 	  return data;
@@ -4665,7 +4665,7 @@ display_debug_lines_raw (struct dwarf_section *  section,
 		      printf ("%s\t", dwarf_vmatoa ("u", val));
 		      printf ("%.*s\n", (int)(end - name), name);
 
-		      if (data == end)
+		      if (data >= end)
 			{
 			  warn (_("Corrupt file name table entry\n"));
 			  break;
@@ -5013,7 +5013,7 @@ display_debug_lines_decoded (struct dwarf_section *  section,
 		}
 
 	      READ_ULEB (n_directories, data, end);
-	      if (data == end)
+	      if (data >= end)
 		{
 		  warn (_("Corrupt directories list\n"));
 		  break;
@@ -5037,7 +5037,7 @@ display_debug_lines_decoded (struct dwarf_section *  section,
 
 		      READ_ULEB (content_type, format, end);
 		      READ_ULEB (form, format, end);
-		      if (data == end)
+		      if (data >= end)
 			{
 			  warn (_("Corrupt directories list\n"));
 			  break;
@@ -5067,7 +5067,7 @@ display_debug_lines_decoded (struct dwarf_section *  section,
 							  NULL, 1, section,
 							  NULL, '\t', -1);
 		    }
-		  if (data == end)
+		  if (data >= end)
 		    {
 		      warn (_("Corrupt directories list\n"));
 		      break;
@@ -5087,7 +5087,7 @@ display_debug_lines_decoded (struct dwarf_section *  section,
 		}
 
 	      READ_ULEB (n_files, data, end);
-	      if (data == end && n_files > 0)
+	      if (data >= end && n_files > 0)
 		{
 		  warn (_("Corrupt file name list\n"));
 		  break;
@@ -5112,7 +5112,7 @@ display_debug_lines_decoded (struct dwarf_section *  section,
 
 		      READ_ULEB (content_type, format, end);
 		      READ_ULEB (form, format, end);
-		      if (data == end)
+		      if (data >= end)
 			{
 			  warn (_("Corrupt file name list\n"));
 			  break;
@@ -5159,7 +5159,7 @@ display_debug_lines_decoded (struct dwarf_section *  section,
 							  NULL, 1, section,
 							  NULL, '\t', -1);
 		    }
-		  if (data == end)
+		  if (data >= end)
 		    {
 		      warn (_("Corrupt file name list\n"));
 		      break;
author	Alan Modra <amodra@gmail.com>	2021-05-12 15:11:43 +0930
committer	Alan Modra <amodra@gmail.com>	2021-05-12 15:41:10 +0930
commit	55b26492bbd05637f24b9b70a507e842e466b723 (patch)
tree	2941b78c943f601f7b0b23b22fb9d572bfe886f6 /binutils
parent	5ab3907543816d62a8dfd0f7f342ae66814bb0eb (diff)