OOB read in dwarf_getsrclines.c (HEAD commit d250dd5e) The .debug_line header parsing reads minimum_instr_len at line 250 without verifying that at least one byte remains after consuming the header_length field.
The bounds check at line 237 ensures >= 4 bytes for header_length, but read_4ubyte_unaligned_inc advances linep by exactly 4. If the unit ends immediately after header_length, linep equals lineendp and the dereference at line 250 reads one byte OOB: lh->minimum_instr_len = *linep++; CWE-125 (Out-of-bounds Read) Impact: crash/DoS from crafted .debug_line section Fix attached: bounds check before the read. Discoverer: Karan Kurani
<<attachment: elfutils-security-fix.zip>>
