Skip to content

Commit aa69177

Browse files
thestr4ng3rthestr4ng3r
authored
Fix oob write for dwarf with abbrev with count 0 (Fix #2083) (#2086)
1 parent 1d3f029 commit aa69177

File tree

2 files changed

+31
-17
lines changed

2 files changed

+31
-17
lines changed

librz/bin/dwarf.c

Lines changed: 23 additions & 17 deletions
Original file line numberDiff line numberDiff line change
@@ -1220,9 +1220,13 @@ static int init_die(RzBinDwarfDie *die, ut64 abbr_code, ut64 attr_count) {
12201220
if (!die) {
12211221
return -1;
12221222
}
1223-
die->attr_values = calloc(sizeof(RzBinDwarfAttrValue), attr_count);
1224-
if (!die->attr_values) {
1225-
return -1;
1223+
if (attr_count) {
1224+
die->attr_values = calloc(sizeof(RzBinDwarfAttrValue), attr_count);
1225+
if (!die->attr_values) {
1226+
return -1;
1227+
}
1228+
} else {
1229+
die->attr_values = NULL;
12261230
}
12271231
die->abbrev_code = abbr_code;
12281232
die->capacity = attr_count;
@@ -1726,25 +1730,27 @@ static const ut8 *parse_die(const ut8 *buf, const ut8 *buf_end, RzBinDwarfDebugI
17261730
size_t i;
17271731
const char *comp_dir = NULL;
17281732
ut64 line_info_offset = UT64_MAX;
1729-
for (i = 0; i < abbrev->count - 1; i++) {
1730-
memset(&die->attr_values[i], 0, sizeof(die->attr_values[i]));
1733+
if (abbrev->count) {
1734+
for (i = 0; i < abbrev->count - 1; i++) {
1735+
memset(&die->attr_values[i], 0, sizeof(die->attr_values[i]));
17311736

1732-
buf = parse_attr_value(buf, buf_end - buf, &abbrev->defs[i],
1733-
&die->attr_values[i], hdr, debug_str, debug_str_len, big_endian);
1737+
buf = parse_attr_value(buf, buf_end - buf, &abbrev->defs[i],
1738+
&die->attr_values[i], hdr, debug_str, debug_str_len, big_endian);
17341739

1735-
RzBinDwarfAttrValue *attribute = &die->attr_values[i];
1740+
RzBinDwarfAttrValue *attribute = &die->attr_values[i];
17361741

1737-
if (attribute->attr_name == DW_AT_comp_dir && (attribute->attr_form == DW_FORM_strp || attribute->attr_form == DW_FORM_string) && attribute->string.content) {
1738-
comp_dir = attribute->string.content;
1739-
}
1740-
if (attribute->attr_name == DW_AT_stmt_list) {
1741-
if (attribute->kind == DW_AT_KIND_CONSTANT) {
1742-
line_info_offset = attribute->uconstant;
1743-
} else if (attribute->kind == DW_AT_KIND_REFERENCE) {
1744-
line_info_offset = attribute->reference;
1742+
if (attribute->attr_name == DW_AT_comp_dir && (attribute->attr_form == DW_FORM_strp || attribute->attr_form == DW_FORM_string) && attribute->string.content) {
1743+
comp_dir = attribute->string.content;
1744+
}
1745+
if (attribute->attr_name == DW_AT_stmt_list) {
1746+
if (attribute->kind == DW_AT_KIND_CONSTANT) {
1747+
line_info_offset = attribute->uconstant;
1748+
} else if (attribute->kind == DW_AT_KIND_REFERENCE) {
1749+
line_info_offset = attribute->reference;
1750+
}
17451751
}
1752+
die->count++;
17461753
}
1747-
die->count++;
17481754
}
17491755

17501756
// If this is a compilation unit dir attribute, we want to cache it so the line info parsing

test/db/formats/elf/crash

Lines changed: 8 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -25,3 +25,11 @@ nth vaddr bind type lib name
2525
[]
2626
EOF
2727
RUN
28+
29+
NAME=ELF/Dwarf: abbrev empty
30+
FILE=bins/elf/dwarf_fuzzed_abbrev_empty
31+
CMDS=<<EOF
32+
aaa
33+
EOF
34+
EXPECT=
35+
RUN

0 commit comments

Comments
 (0)