Avoid needless resource usage when processing a corrupt DWARF directory or file name...

	PR 22210
	* dwarf2.c (read_formatted_entries): Fail early if we know that
	the loop parsing data entries will overflow the end of the
	section.

diff --git a/bfd/ChangeLog b/bfd/ChangeLog
index b6f7381720b20c052616c5af8b0ceb564eed84cb..a1c16168a4b1544df3747784e53fc50cd5750bc4 100644 (file)
--- a/bfd/ChangeLog
+++ b/bfd/ChangeLog
@@ -1,3 +1,10 @@
+2017-09-26  Nick Clifton  <nickc@redhat.com>
+
+       PR 22210
+       * dwarf2.c (read_formatted_entries): Fail early if we know that
+       the loop parsing data entries will overflow the end of the
+       section.
+
 2017-09-26  Alan Modra  <amodra@gmail.com>
 
        PR 22209

diff --git a/bfd/dwarf2.c b/bfd/dwarf2.c
index ad06120b96f5bda6abd36b7f77735aff2fa42932..dd5ac8fdb571410e458bc6a0d9fbf778208d219c 100644 (file)
--- a/bfd/dwarf2.c
+++ b/bfd/dwarf2.c
@@ -1938,6 +1938,16 @@ read_formatted_entries (struct comp_unit *unit, bfd_byte **bufp,
       return FALSE;
     }
 
+  /* PR 22210.  Paranoia check.  Don't bother running the loop
+     if we know that we are going to run out of buffer.  */
+  if (data_count > (bfd_vma) (buf_end - buf))
+    {
+      _bfd_error_handler (_("Dwarf Error: data count (%Lx) larger than buffer size."),
+                         data_count);
+      bfd_set_error (bfd_error_bad_value);
+      return FALSE;
+    }
+
   for (datai = 0; datai < data_count; datai++)
     {
       bfd_byte *format = format_header_data;