PR32663, ld buffer overflow reading .debug_info
When reading debug info to print an error message, we'll be reading
the debug info off disk, not using edited debug info. sec->rawsize
if non-zero is the correct size.
PR 32663
* dwarf2.c (_bfd_dwarf2_slurp_debug_info): Use
bfd_get_section_limit_octets to properly size debug sections.
diff --git a/bfd/dwarf2.c b/bfd/dwarf2.c
index bc17347..a62c952 100644
--- a/bfd/dwarf2.c
+++ b/bfd/dwarf2.c
@@ -5513,7 +5513,7 @@
if (! find_debug_info (debug_bfd, debug_sections, msec))
{
/* Case 1: only one info section. */
- total_size = msec->size;
+ total_size = bfd_get_section_limit_octets (debug_bfd, msec);
if (! read_section (debug_bfd, &stash->debug_sections[debug_info],
symbols, 0,
&stash->f.dwarf_info_buffer, &total_size))
@@ -5528,13 +5528,14 @@
{
if (bfd_section_size_insane (debug_bfd, msec))
goto restore_vma;
+ bfd_size_type readsz = bfd_get_section_limit_octets (debug_bfd, msec);
/* Catch PR25070 testcase overflowing size calculation here. */
- if (total_size + msec->size < total_size)
+ if (total_size + readsz < total_size)
{
bfd_set_error (bfd_error_no_memory);
goto restore_vma;
}
- total_size += msec->size;
+ total_size += readsz;
}
stash->f.dwarf_info_buffer = (bfd_byte *) bfd_malloc (total_size);
@@ -5546,10 +5547,8 @@
msec;
msec = find_debug_info (debug_bfd, debug_sections, msec))
{
- bfd_size_type size;
-
- size = msec->size;
- if (size == 0)
+ bfd_size_type readsz = bfd_get_section_limit_octets (debug_bfd, msec);
+ if (readsz == 0)
continue;
if (!(bfd_simple_get_relocated_section_contents
@@ -5557,7 +5556,7 @@
symbols)))
goto restore_vma;
- total_size += size;
+ total_size += readsz;
}
}
