Hi Aleksei,

On Thu, 2023-11-16 at 21:29 +0000, vvv...@google.com wrote:
> This check was initially added to test if offset overflows the safe
> prefix where any string will be null-terminated. However the check
> was placed in a wrong place and didn't cover all `attrp->form` cases.
> 
>     * libdw/dwarf_formstring.c (dwarf_formstring): Move offset check
>       right before returning the result.

Oops. I see how this happened for DW_FORM_strp and DW_FORM_line_strp we
use __libdw_read_offset which already check the section offset. But of
course those use d_size, not the string_section_size that was setup in
elf_begin_elf. So the check is also needed for them.

> Signed-off-by: Aleksei Vetrov <vvv...@google.com>
> ---
>  libdw/dwarf_formstring.c | 6 +++---
>  1 file changed, 3 insertions(+), 3 deletions(-)
> 
> diff --git a/libdw/dwarf_formstring.c b/libdw/dwarf_formstring.c
> index 0ee42411..65f03a5e 100644
> --- a/libdw/dwarf_formstring.c
> +++ b/libdw/dwarf_formstring.c
> @@ -173,11 +173,11 @@ dwarf_formstring (Dwarf_Attribute *attrp)
>       off = read_4ubyte_unaligned (dbg, datap);
>        else
>       off = read_8ubyte_unaligned (dbg, datap);
> -
> -      if (off >= data_size)
> -     goto invalid_offset;
>      }
>  
> +  if (off >= data_size)
> +    goto invalid_offset;
> +
>    return (const char *) data->d_buf + off;
>  }
>  INTDEF(dwarf_formstring)

Applied.

Thanks,

Mark

Reply via email to