asan: heap buffer overflow in dwarf2_directive_filename
Alan Modra
amodra@gmail.com
Thu Jun 2 07:27:13 GMT 2022
More information about the Binutils mailing list
Thu Jun 2 07:27:13 GMT 2022
- Previous message (by thread): asan: NULL deref in scan_unit_for_symbols
- Next message (by thread): sb_scrub_and_add_sb not draining input string buffer
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Seen with .file 4294967289 "xxx.c"
* dwarf2dbg.c (assign_file_to_slot): Catch more cases of integer
overflow. Make param i an unsigned int.
diff --git a/gas/dwarf2dbg.c b/gas/dwarf2dbg.c
index 185d57c253f..b4b252970c1 100644
--- a/gas/dwarf2dbg.c
+++ b/gas/dwarf2dbg.c
@@ -679,7 +679,7 @@ get_directory_table_entry (const char *dirname,
}
static bool
-assign_file_to_slot (unsigned long i, const char *file, unsigned int dir)
+assign_file_to_slot (unsigned int i, const char *file, unsigned int dir)
{
if (i >= files_allocated)
{
@@ -687,9 +687,11 @@ assign_file_to_slot (unsigned long i, const char *file, unsigned int dir)
files_allocated = i + 32;
/* Catch wraparound. */
- if (files_allocated <= old)
+ if (files_allocated < old
+ || files_allocated < i
+ || files_allocated > UINT_MAX / sizeof (struct file_entry))
{
- as_bad (_("file number %lu is too big"), (unsigned long) i);
+ as_bad (_("file number %u is too big"), i);
return false;
}
--
Alan Modra
Australia Development Lab, IBM
- Previous message (by thread): asan: NULL deref in scan_unit_for_symbols
- Next message (by thread): sb_scrub_and_add_sb not draining input string buffer
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
More information about the Binutils mailing list