Don't overflow in __libdw_in_section and __libdw_offset_in_section.

This exposes a bug in dwarf_formstring as detected by the dwarf-getmacros
test before we made sure to use the correct sec_idx for the CU.

Signed-off-by: Ulf Hermann <[email protected]>
Signed-off-by: Mark Wielaard <[email protected]>

2 files changed, 11 insertions, 2 deletions

diff --git a/libdw/ChangeLog b/libdw/ChangeLog
index 22b7bf4d..eb1cb709 100644
--- a/libdw/ChangeLog
+++ b/libdw/ChangeLog
@@ -1,3 +1,10 @@
+2017-05-09  Ulf Hermann  <[email protected]>
+	    Mark Wielaard  <[email protected]>
+
+	* libdwP.h (__libdw_in_section): Fix check for the upper border of
+	the range.
+	(__libdw_offset_in_section): Likewise.
+
 2017-12-20  Mark Wielaard  <[email protected]>
 
 	* libdwP.h (struct Dwarf_CU): Add sec_idx field.
diff --git a/libdw/libdwP.h b/libdw/libdwP.h
index f524347c..82b47d09 100644
--- a/libdw/libdwP.h
+++ b/libdw/libdwP.h
@@ -628,7 +628,8 @@ __libdw_offset_in_section (Dwarf *dbg, int sec_index,
   if (data == NULL)
     return -1;
   if (unlikely (offset > data->d_size)
-      || unlikely (data->d_size - offset < size))
+      || unlikely (data->d_size < size)
+      || unlikely (offset > data->d_size - size))
     {
       __libdw_seterrno (DWARF_E_INVALID_OFFSET);
       return -1;
@@ -645,7 +646,8 @@ __libdw_in_section (Dwarf *dbg, int sec_index,
   if (data == NULL)
     return false;
   if (unlikely (addr < data->d_buf)
-      || unlikely (data->d_size - (addr - data->d_buf) < size))
+      || unlikely (data->d_size < size)
+      || unlikely ((size_t)(addr - data->d_buf) > data->d_size - size))
     {
       __libdw_seterrno (DWARF_E_INVALID_OFFSET);
       return false;