3 files changed, 21 insertions, 0 deletions

diff --git a/libdw/ChangeLog b/libdw/ChangeLog
index 85f12c4e..d87cf11c 100644
--- a/libdw/ChangeLog
+++ b/libdw/ChangeLog
@@ -1,3 +1,8 @@
+2005-08-01  Roland McGrath  <[email protected]>
+
+	* dwarf_getaranges.c (dwarf_getaranges): Check for bogus offset.
+	* dwarf_getabbrev.c (__libdw_getabbrev): Likewise.
+
 2005-07-28  Ulrich Drepper  <[email protected]>
 
 	* Makefile.am (libdw.so): No need to link with libeu.a anymore.
diff --git a/libdw/dwarf_getabbrev.c b/libdw/dwarf_getabbrev.c
index a6968a83..ecac0859 100644
--- a/libdw/dwarf_getabbrev.c
+++ b/libdw/dwarf_getabbrev.c
@@ -34,8 +34,15 @@ __libdw_getabbrev (dbg, cu, offset, lengthp, result)
   if (dbg->sectiondata[IDX_debug_abbrev] == NULL)
     return NULL;
 
+  if (offset >= dbg->sectiondata[IDX_debug_abbrev]->d_size)
+    {
+      __libdw_seterrno (DWARF_E_INVALID_OFFSET);
+      return NULL;
+    }
+
   const unsigned char *abbrevp
     = (unsigned char *) dbg->sectiondata[IDX_debug_abbrev]->d_buf + offset;
+
   if (*abbrevp == '\0')
     /* We are past the last entry.  */
     return DWARF_END_ABBREV;
diff --git a/libdw/dwarf_getaranges.c b/libdw/dwarf_getaranges.c
index f7cf050f..d51ddaeb 100644
--- a/libdw/dwarf_getaranges.c
+++ b/libdw/dwarf_getaranges.c
@@ -106,6 +106,10 @@ dwarf_getaranges (dbg, aranges, naranges)
       else
 	offset = read_8ubyte_unaligned_inc (dbg, readp);
 
+      /* Sanity-check the offset.  */
+      if (offset + 4 > dbg->sectiondata[IDX_debug_info]->d_size)
+	goto invalid;
+
       unsigned int address_size = *readp++;
       if (address_size != 4 && address_size != 8)
 	goto invalid;
@@ -154,6 +158,11 @@ dwarf_getaranges (dbg, aranges, naranges)
 	    offset_size = 4;
 	  new_arange->arange.offset = offset + 3 * offset_size - 4 + 3;
 
+	  /* Sanity-check the data.  */
+	  if (new_arange->arange.offset
+	      >= dbg->sectiondata[IDX_debug_info]->d_size)
+	    goto invalid;
+
 	  new_arange->next = arangelist;
 	  arangelist = new_arange;
 	  ++narangelist;