readelf: Check there are at least 4 bytes available for DWARF_FORM_block4.

Found by afl-fuzz. When printing a DWARF_FORM_block4 we checked there were only 2 bytes available (copy/paste from DW_FORM_block2 right before). Obviously we need at least 4 bytes to read the length of a DW_FORM_block4. Signed-off-by: Mark Wielaard <[email protected]>
author: Mark Wielaard <[email protected]> 2018-06-12 14:36:50 +0200
committer: Mark Wielaard <[email protected]> 2018-06-17 01:04:39 +0200
commit: 58ed0e647f1012f8b75eda47967d849aeb619ec2 (patch)
tree: d6d88f7ad7e518a03371c91556c5c1f75ebae004
parent: cfe65047ad96500a8786625ef949099ec5671774 (diff)
2 files changed, 6 insertions, 1 deletions
diff --git a/src/ChangeLog b/src/ChangeLog
index d401da27..805a1bf0 100644
--- a/src/ChangeLog
+++ b/src/ChangeLog
@@ -1,5 +1,10 @@
 2018-06-12  Mark Wielaard  <[email protected]>
 
+	* readelf.c (print_form_data): Check we have 4, not 2, bytes
+	available for DW_FORM_block4.
+
+2018-06-12  Mark Wielaard  <[email protected]>
+
 	* readelf.c (print_form_data): Don't increase strreadp after use.
 	Do increase readp for DW_FORM_strx[1234].
 
diff --git a/src/readelf.c b/src/readelf.c
index a6173806..2e7378e2 100644
--- a/src/readelf.c
+++ b/src/readelf.c
@@ -7987,7 +7987,7 @@ print_form_data (Dwarf *dbg, int form, const unsigned char *readp,
       break;
 
     case DW_FORM_block4:
-      if (readendp - readp < 2)
+      if (readendp - readp < 4)
 	goto invalid_data;
       val = read_4ubyte_unaligned_inc (dbg, readp);
       if ((size_t) (readendp - readp) < val)
author	Mark Wielaard <[email protected]>	2018-06-12 14:36:50 +0200
committer	Mark Wielaard <[email protected]>	2018-06-17 01:04:39 +0200
commit	58ed0e647f1012f8b75eda47967d849aeb619ec2 (patch)
tree	d6d88f7ad7e518a03371c91556c5c1f75ebae004
parent	cfe65047ad96500a8786625ef949099ec5671774 (diff)