A couple of buffer overflow checks in libbacktrace incorrectly used >=
when comparing the end of the value with the end of the buffer. It is
of course OK if the value ends at the very end of the buffer. This
patch corrects those cases to use > instead. Bootstrapped and ran
libbacktrace and Go tests on x86_64-pc-linux-gnu. Committed to
mainline.
Ian
* dwarf.c (resolve_string): Use > rather than >= to check whether
string index extends past buffer.
(resolve_addr_index): Similarly for address index.
2e7ce16d5156bab9c217d21e7ff17a6a6eaf6fd3
diff --git a/libbacktrace/dwarf.c b/libbacktrace/dwarf.c
index 582f34bc816..0c913c95983 100644
--- a/libbacktrace/dwarf.c
+++ b/libbacktrace/dwarf.c
@@ -1053,7 +1053,7 @@ resolve_string (const struct dwarf_sections
*dwarf_sections, int is_dwarf64,
offset = val->u.uint * (is_dwarf64 ? 8 : 4) + str_offsets_base;
if (offset + (is_dwarf64 ? 8 : 4)
- >= dwarf_sections->size[DEBUG_STR_OFFSETS])
+ > dwarf_sections->size[DEBUG_STR_OFFSETS])
{
error_callback (data, "DW_FORM_strx value out of range", 0);
return 0;
@@ -1097,7 +1097,7 @@ resolve_addr_index (const struct dwarf_sections
*dwarf_sections,
struct dwarf_buf addr_buf;
offset = addr_index * addrsize + addr_base;
- if (offset + addrsize >= dwarf_sections->size[DEBUG_ADDR])
+ if (offset + addrsize > dwarf_sections->size[DEBUG_ADDR])
{
error_callback (data, "DW_FORM_addrx value out of range", 0);
return 0;
