[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Bug binutils/22204] New: integer overflow in decode_line_info in dwarf2
From: |
luanjunchao at 163 dot com |
Subject: |
[Bug binutils/22204] New: integer overflow in decode_line_info in dwarf2.c:2294 in binutils 2.29 |
Date: |
Mon, 25 Sep 2017 13:29:00 +0000 |
https://sourceware.org/bugzilla/show_bug.cgi?id=22204
Bug ID: 22204
Summary: integer overflow in decode_line_info in dwarf2.c:2294
in binutils 2.29
Product: binutils
Version: 2.30 (HEAD)
Status: UNCONFIRMED
Severity: normal
Priority: P2
Component: binutils
Assignee: unassigned at sourceware dot org
Reporter: luanjunchao at 163 dot com
Target Milestone: ---
Created attachment 10477
--> https://sourceware.org/bugzilla/attachment.cgi?id=10477&action=edit
poc of integer overflow
When I run "nm-new -a -A -D -l -n -P -r -S --size-sort --special-syms
--synthetic --with-symbol-versions integer_overflow.elf", it just hangs there
and lasts for long time. And When I run ltrace with above command, I find that
it call malloc persistly.
And then I debug it with gdb, I finall find the reason in function
decode_line_info. Here is the snippet of it:
/* Decode the table. */
while (! end_sequence)
{
op_code = read_1_byte (abfd, line_ptr, line_end);
line_ptr += 1;
if (op_code >= lh.opcode_base)
{
/* Special operand. */
adj_opcode = op_code - lh.opcode_base;
if (lh.line_range == 0)
goto line_fail;
if (lh.maximum_ops_per_insn == 1)
address += (adj_opcode / lh.line_range
* lh.minimum_instruction_length);
else
{
address += ((op_index + adj_opcode / lh.line_range)
/ lh.maximum_ops_per_insn
* lh.minimum_instruction_length);
op_index = ((op_index + adj_opcode / lh.line_range)
% lh.maximum_ops_per_insn);
}
2294: line += lh.line_base + (adj_opcode % lh.line_range);
/* Append row to matrix using current values. */
if (!add_line_info (table, address, op_index, filename,
line, column, discriminator, 0))
goto line_fail;
discriminator = 0;
if (address < low_pc)
low_pc = address;
if (address > high_pc)
high_pc = address;
}
When I debug the process, the lh.line_base=-5 (int type), while the line is
declared a unsigned int with initial value 0, when it meets a specific
condition, it just traps in the while loop.
The poc is attached.
--
You are receiving this mail because:
You are on the CC list for the bug.
- [Bug binutils/22204] New: integer overflow in decode_line_info in dwarf2.c:2294 in binutils 2.29,
luanjunchao at 163 dot com <=