Hi Karan, Please add patches as normal plain text attachment instead of packing in a zip file.
On Sat, May 09, 2026 at 09:23:09PM +0530, Karan Kurani wrote: > OOB read in dwarf_getsrclines.c (HEAD commit d250dd5e) > > The .debug_line header parsing reads minimum_instr_len at line 250 > without verifying that at least one byte remains after consuming > the header_length field. Thanks. There is a similar check in the src/readelf.c print_debug_line_section code. Luckily the endlinep also needs to fit inside the unit data length. So a "normal" truncated .debug_line section would fail an earlier check whether we have enough room in the section before setting lineendp. But if this is the last line unit in the section and the unit_length field is also corrupted to exactly the remaining section length this could indeed read one byte of data after the section data. I changed the check a little to make it similar to the way these checks are done in the rest of the code. Not because I think your check is wrong (I actually think it is more clear), but to make the code look consistent. Pushed as attached. Cheers, Mark
>From 4265eed0cbd1ae08d822871d4592fd0d835b8d1f Mon Sep 17 00:00:00 2001 From: Mark Wielaard <[email protected]> Date: Sat, 9 May 2026 18:33:36 +0200 Subject: [PATCH] libdw: Check .debug_line header field minimum_instr_len fits unit data * libdw/dwarf_getsrclines.c (read_line_header): Add lineendp check before reading minimum_instr_len byte. Reported-by: Karan Kurani <[email protected]> Signed-off-by: Mark Wielaard <[email protected]> --- libdw/dwarf_getsrclines.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libdw/dwarf_getsrclines.c b/libdw/dwarf_getsrclines.c index 76db292966fb..b3fe7cc87cd9 100644 --- a/libdw/dwarf_getsrclines.c +++ b/libdw/dwarf_getsrclines.c @@ -247,6 +247,8 @@ read_line_header (Dwarf *dbg, unsigned address_size, lh->header_start = linep; /* Next the minimum instruction length. */ + if (unlikely ((size_t) (lineendp - linep) < 1)) + goto invalid_data; lh->minimum_instr_len = *linep++; /* Next the maximum operations per instruction, in version 4 format. */ -- 2.53.0
