libdw: Fix overflow in read_encoded_value for the DW_EH_PE_indirect case.

If we are going to dereference a pointer there should be at least enough
data to hold a pointer. Found by afl-fuzz.

Signed-off-by: Mark Wielaard <[email protected]>

1 files changed, 4 insertions, 3 deletions

diff --git a/libdw/encoded-value.h b/libdw/encoded-value.h
index 0fa20183..48d868fb 100644
--- a/libdw/encoded-value.h
+++ b/libdw/encoded-value.h
@@ -214,9 +214,10 @@ read_encoded_value (const Dwarf_CFI *cache, uint8_t encoding,
       if (unlikely (*result < cache->frame_vaddr))
 	return true;
       *result -= cache->frame_vaddr;
-      if (unlikely (*result > (cache->data->d.d_size
-			       - encoded_value_size (NULL, cache->e_ident,
-						     DW_EH_PE_absptr, NULL))))
+      size_t ptrsize = encoded_value_size (NULL, cache->e_ident,
+					   DW_EH_PE_absptr, NULL);
+      if (unlikely (cache->data->d.d_size < ptrsize
+		    || *result > (cache->data->d.d_size - ptrsize)))
 	return true;
       const uint8_t *ptr = cache->data->d.d_buf + *result;
       if (unlikely (__libdw_cfi_read_address_inc (cache, &ptr, 0, result)