ubsan: shift exponent 70 is too large

Message ID 20200316023654.GK23597@bubble.grove.modra.org
State New
Headers show
Series
  • ubsan: shift exponent 70 is too large
Related show

Commit Message

Jose E. Marchesi via Binutils March 16, 2020, 2:36 a.m.
* unwind-ia64.c (unw_decode_uleb128): Prevent overlarge shifts.
	Detect shift overflows and check that terminating byte is found.
	Print an error on a bad uleb128.


-- 
Alan Modra
Australia Development Lab, IBM

Patch

diff --git a/binutils/unwind-ia64.c b/binutils/unwind-ia64.c
index b59a531e68..b9eae5bb21 100644
--- a/binutils/unwind-ia64.c
+++ b/binutils/unwind-ia64.c
@@ -544,21 +544,34 @@  static unw_word
 unw_decode_uleb128 (const unsigned char **dpp, const unsigned char * end)
 {
   unsigned shift = 0;
+  int status = 1;
   unw_word byte, result = 0;
   const unsigned char *bp = *dpp;
 
   while (bp < end)
     {
       byte = *bp++;
-      result |= (byte & 0x7f) << shift;
+      if (shift < sizeof (result) * 8)
+	{
+	  result |= (byte & 0x7f) << shift;
+	  if ((result >> shift) != (byte & 0x7f))
+	    /* Overflow.  */
+	    status |= 2;
+	  shift += 7;
+	}
+      else if ((byte & 0x7f) != 0)
+	status |= 2;
 
       if ((byte & 0x80) == 0)
-	break;
-
-      shift += 7;
+	{
+	  status &= ~1;
+	  break;
+	}
     }
 
   *dpp = bp;
+  if (status != 0)
+    printf (_("Bad uleb128\n"));
 
   return result;
 }