Hi Anton,
On Sat, Feb 01, 2025 at 01:56:34AM +0300, Anton Moryakov wrote:
> Report of the static analyzer:
> After having been compared to a NULL value at
> dwarf_ranges.c:492, pointer 'd' is dereferenced at
> dwarf_ranges.c:531. (CWE476)
But there is a lot of code between those points. On line 526 there is
a call to initial_offset which will check cu->dbg->sectiondata[secidx]
(which is what d points to) and return an error if it is NULL. And on
line __libdw_offset_in_section which does a simular check. So I
believe the code cannot reach line 531 unless d != NULL.
> Corrections explained:
> When processing a DIE with missing or invalid section data,
> the code could dereference a NULL pointer, leading to undefined
> behavior. This patch adds a check to ensure 'd' is not NULL
> before using it.
>
> The fix ensures that the function safely handles cases where
> section data is missing, avoiding potential crashes.
Do you have an example where this happens? It might be that your
analyzer is right, but then it would be good to have some kind of
proof and/or reproducer.
Thanks,
Mark
> Triggers found by static analyzer Svace.
>
> Signed-off-by: Anton Moryakov <ant.v.moryakov at gmail.com>
>
> ---
> libdw/dwarf_ranges.c | 6 +++++-
> 1 file changed, 5 insertions(+), 1 deletion(-)
>
> diff --git a/libdw/dwarf_ranges.c b/libdw/dwarf_ranges.c
> index b853e4b9..e42d21cd 100644
> --- a/libdw/dwarf_ranges.c
> +++ b/libdw/dwarf_ranges.c
> @@ -532,7 +532,11 @@ dwarf_ranges (Dwarf_Die *die, ptrdiff_t offset,
> Dwarf_Addr *basep,
> secidx, offset, 1))
> return -1;
> }
> -
> + if(d == NULL)
> + {
> + __libdw_seterrno(DWARF_E_INVALID_DWARF);
> + return -1
> + }
> readp = d->d_buf + offset;
> readendp = d->d_buf + d->d_size;
>
> --
> 2.30.2
>
