File libdwarf-cve-2020-27545.diff of Package libdwarf.29697
A backport of the important part of upstreams d871f028de to
fix CVE-2020-27545 .
The upstream commit also touched dwarf5 code, which our libdwarf
version doesn't have. And the error reporting routines were
rewritten so those parts don't apply.
--- libdwarf/dwarf_line_table_reader_common.c.mm 2016-11-02 22:36:56.000000000 +0100
+++ libdwarf/dwarf_line_table_reader_common.c 2023-07-03 15:27:51.399888774 +0200
@@ -1637,7 +1637,15 @@ read_line_table_program(Dwarf_Debug dbg,
other than we know now many bytes it is
and the op code and the bytes of operand. */
Dwarf_Unsigned remaining_bytes = instr_length -1;
- if (instr_length < 1 || remaining_bytes > DW_LNE_LEN_MAX) {
+ Dwarf_Unsigned space_left =
+ (line_ptr <= line_ptr_end)?
+ (line_ptr_end - line_ptr):0xfffffff;
+
+ /* By catching this here instead of PRINTING_DETAILS
+ we avoid reading off of our data of interest*/
+ if (instr_length < 1 ||
+ space_left < remaining_bytes ||
+ remaining_bytes > DW_LNE_LEN_MAX) {
_dwarf_free_chain_entries(dbg,head_chain,line_count);
_dwarf_error(dbg, error,
DW_DLE_LINE_TABLE_BAD);
@@ -1650,6 +1658,8 @@ read_line_table_program(Dwarf_Debug dbg,
dwarf_printf(dbg,
"Bytecount: %" DW_PR_DUu , (Dwarf_Unsigned)instr_length);
if (remaining_bytes > 0) {
+ /* If remaining bytes > distance to end
+ we will have an error. */
dwarf_printf(dbg,
" linedata: 0x");
while (remaining_bytes > 0) {