readelf, libdw: Handle too many directories or files in the line table better.

The afl fuzzer found that the way we handle "too many" directories or files
in the (DWARF5 style) line table badly. In the case of eu-readelf we would
print an endless stream of "bad directory" or "bad file". Just stop printing
when the end of data is reached. In the case of dwarf_getsrclines we would
allocate a giant amount of memory, even if there was no data to actually
read in. Sanity check that the directory and file counts seem reasonable
compared to the amount of data left (assume we need at least 1 byte of
data per form describing the dirs or files).

Signed-off-by: Mark Wielaard <[email protected]>

1 files changed, 10 insertions, 0 deletions

diff --git a/libdw/dwarf_getsrclines.c b/libdw/dwarf_getsrclines.c
index 07baebcc..bb512ec6 100644
--- a/libdw/dwarf_getsrclines.c
+++ b/libdw/dwarf_getsrclines.c
@@ -356,6 +356,11 @@ read_srclines (Dwarf *dbg,
 
       if (nforms == 0 && ndirs != 0)
 	goto invalid_data;
+
+      /* Assume there is at least 1 byte needed per form to describe
+	 the directory.  Filters out insanely large ndirs.  */
+      if (nforms != 0 && ndirs > (size_t) (lineendp - linep) / nforms)
+	goto invalid_data;
     }
 
   /* Arrange the list in array form.  */
@@ -561,6 +566,11 @@ read_srclines (Dwarf *dbg,
       if (nforms == 0 && nfiles != 0)
 	goto invalid_data;
 
+      /* Assume there is at least 1 byte needed per form to describe
+	 the file.  Filters out insanely large nfiles.  */
+      if (nforms != 0 && nfiles > (size_t) (lineendp - linep) / nforms)
+	goto invalid_data;
+
       Dwarf_Attribute attr;
       attr.cu = &fake_cu;
       for (unsigned int n = 0; n < nfiles; n++)