6ec31a457e953f4dbcdb7740d6dda676cdfb2a73 - binutils-gdb

commit: 6ec31a457e953f4dbcdb7740d6dda676cdfb2a73
[log]
author: Tom de Vries <tdevries@suse.de>
Fri May 02 22:21:36 2025 +0200
committer: Tom de Vries <tdevries@suse.de>
Fri May 02 22:21:36 2025 +0200
tree: c02b14e35e183794948394ffe1c59896fd62351f
parent: fdaf750f3271e45a2ca4b381e8e8d4058abbb58a [diff]

[gdb/symtab] Throw DWARF error on out-of-bounds DW_FORM_strx With the test-case contained in the patch, and gdb build with -fsanitize=address we get: ... ==23678==ERROR: AddressSanitizer: heap-buffer-overflow ...^M READ of size 1 at 0x6020000c30dc thread T3^[[1m^[[0m^M ptype global_var^M #0 0x2c6a40b in bfd_getl32 bfd/libbfd.c:846^M #1 0x168f96c in read_str_index gdb/dwarf2/read.c:15349^M ... The executable contains an out-of-bounds DW_FORM_strx attribute: ... $ readelf -wi $exec <2eb> DW_AT_name :readelf: Warning: string index of 1 converts to \ an offset of 0xc which is too big for section .debug_str (indexed string: 0x1): <string index too big> ... and read_str_index doesn't check for this: ... info_ptr = (str_offsets_section->buffer + str_offsets_base + str_index * offset_size); if (offset_size == 4) str_offset = bfd_get_32 (abfd, info_ptr); ... and consequently reads out-of-bounds. Fix this in read_str_index by checking for the out-of-bounds condition and throwing a DWARF error: ... (gdb) ptype global_var DWARF Error: Offset from DW_FORM_GNU_str_index or DW_FORM_strx pointing \ outside of .debug_str_offsets section in CU at offset 0x2d7 \ [in module dw-form-strx-out-of-bounds] No symbol "global_var" in current context. (gdb) ... Tested on x86_64-linux. Approved-By: Tom Tromey <tom@tromey.com>