diff options
| author | Jonathan Gray <jsg@cvs.openbsd.org> | 2017-09-24 08:44:15 +0000 |
|---|---|---|
| committer | Jonathan Gray <jsg@cvs.openbsd.org> | 2017-09-24 08:44:15 +0000 |
| commit | 108b614742a496dbb7cfd353d779536318ebe39d (patch) | |
| tree | 0b1279376fae2104ffd8e5a1b59d9a03edfeada7 /usr.bin/ctfconv | |
| parent | bb79f5acff69cc6944f5076b71c6e9a0f56b10ab (diff) | |
Ignore DW_FORM_strp with size larger than elf section buffer
fixes accessing memory out of bounds that led to a segfault.
Found with afl. ok mpi@
Diffstat (limited to 'usr.bin/ctfconv')
| -rw-r--r-- | usr.bin/ctfconv/parse.c | 8 |
1 files changed, 6 insertions, 2 deletions
diff --git a/usr.bin/ctfconv/parse.c b/usr.bin/ctfconv/parse.c index e634082ec9f..655b69fd729 100644 --- a/usr.bin/ctfconv/parse.c +++ b/usr.bin/ctfconv/parse.c @@ -1,4 +1,4 @@ -/* $OpenBSD: parse.c,v 1.5 2017/08/29 21:10:20 deraadt Exp $ */ +/* $OpenBSD: parse.c,v 1.6 2017/09/24 08:44:14 jsg Exp $ */ /* * Copyright (c) 2016-2017 Martin Pieuchot @@ -1298,13 +1298,17 @@ dav2str(struct dwaval *dav) { const char *str = NULL; extern const char *dstrbuf; + extern size_t dstrlen; switch (dav->dav_dat->dat_form) { case DW_FORM_string: str = dav->dav_str; break; case DW_FORM_strp: - str = dstrbuf + dav->dav_u32; + if (dav->dav_u32 >= dstrlen) + str = NULL; + else + str = dstrbuf + dav->dav_u32; break; default: break; |