summaryrefslogtreecommitdiff
path: root/usr.bin/ctfdump
diff options
context:
space:
mode:
authorSunil Nimmagadda <sunil@cvs.openbsd.org>2019-03-16 15:34:59 +0000
committerSunil Nimmagadda <sunil@cvs.openbsd.org>2019-03-16 15:34:59 +0000
commit8a8433ed68b21ff6a287f23710e2a4b68c4968b6 (patch)
treea724e343e51b4fb6de38058df438ae83f006fbfb /usr.bin/ctfdump
parent6d95f54cf4f0cd48d131552535d87f1b4d24c18f (diff)
Fix a buffer over-read while dumping structs/unions.
A bogus vlen in metadata could cause offset point beyond CTF section boundary. Found by afl-fuzz. Ok mpi@
Diffstat (limited to 'usr.bin/ctfdump')
-rw-r--r--usr.bin/ctfdump/ctfdump.c8
1 files changed, 7 insertions, 1 deletions
diff --git a/usr.bin/ctfdump/ctfdump.c b/usr.bin/ctfdump/ctfdump.c
index 687bbd01b58..6c3ab924762 100644
--- a/usr.bin/ctfdump/ctfdump.c
+++ b/usr.bin/ctfdump/ctfdump.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ctfdump.c,v 1.20 2019/03/16 07:36:56 sunil Exp $ */
+/* $OpenBSD: ctfdump.c,v 1.21 2019/03/16 15:34:58 sunil Exp $ */
/*
* Copyright (c) 2016 Martin Pieuchot <mpi@openbsd.org>
@@ -489,6 +489,9 @@ ctf_dump_type(struct ctf_header *cth, const char *data, off_t dlen,
for (i = 0; i < vlen; i++) {
struct ctf_member *ctm;
+ if (p + toff > data + dlen)
+ errx(1, "offset exceeds CTF section");
+
if (toff > (stroff - sizeof(*ctm)))
break;
@@ -504,6 +507,9 @@ ctf_dump_type(struct ctf_header *cth, const char *data, off_t dlen,
for (i = 0; i < vlen; i++) {
struct ctf_lmember *ctlm;
+ if (p + toff > data + dlen)
+ errx(1, "offset exceeds CTF section");
+
if (toff > (stroff - sizeof(*ctlm)))
break;