libdw: Fix overflow in read_encoded_value for the DW_EH_PE_indirect case.

If we are going to dereference a pointer there should be at least enough
data to hold a pointer. Found by afl-fuzz.

Signed-off-by: Mark Wielaard <[email protected]>

2 files changed, 9 insertions, 3 deletions

diff --git a/libdw/ChangeLog b/libdw/ChangeLog
index 2757093d..aa4d09ca 100644
--- a/libdw/ChangeLog
+++ b/libdw/ChangeLog
@@ -1,3 +1,8 @@
+2015-05-27  Mark Wielaard  <[email protected]>
+
+	* encoded-value.h (read_encoded_value): Check data d_size contains
+	at least enough data to hold a pointer for DW_EH_PE_indirect.
+
 2015-05-22  Mark Wielaard  <[email protected]>
 
 	* dwarf_getsrclines.c (read_srclines): Limit stack usage of lines
diff --git a/libdw/encoded-value.h b/libdw/encoded-value.h
index 0fa20183..48d868fb 100644
--- a/libdw/encoded-value.h
+++ b/libdw/encoded-value.h
@@ -214,9 +214,10 @@ read_encoded_value (const Dwarf_CFI *cache, uint8_t encoding,
       if (unlikely (*result < cache->frame_vaddr))
 	return true;
       *result -= cache->frame_vaddr;
-      if (unlikely (*result > (cache->data->d.d_size
-			       - encoded_value_size (NULL, cache->e_ident,
-						     DW_EH_PE_absptr, NULL))))
+      size_t ptrsize = encoded_value_size (NULL, cache->e_ident,
+					   DW_EH_PE_absptr, NULL);
+      if (unlikely (cache->data->d.d_size < ptrsize
+		    || *result > (cache->data->d.d_size - ptrsize)))
 	return true;
       const uint8_t *ptr = cache->data->d.d_buf + *result;
       if (unlikely (__libdw_cfi_read_address_inc (cache, &ptr, 0, result)