Adding DW202403-001 ossfuzz id: 67490

davea42 · davea42 · commit 2930f3121ee6 · 2024-03-19T09:42:34.000-07:00
modified:   data.txt

A carefully corrupted line table
header can cause libdwarf to read outside of its
allowed areas in a .debug_line section reading
the file names part of the header.
The failure to check for end-of-section following the
very last byte in section has been present for many years.
	modified:   ../src/lib/libdwarf/dwarf_line_table_reader_common.h
diff --git a/bugxml/data.txt b/bugxml/data.txt
@@ -1,3 +1,22 @@
+id: DW202403-001
+fuzzer: ossfuzz id: 67490
+datereported: 2024-03-18
+reportedby: David Korczynski
+vulnerability: Reads past end of line table
+product: libdwarf
+description: A carefully corrupted line table
+  header can cause libdwarf to read outside of its
+  allowed areas in a .debug_line section reading
+  the file names part of the header.
+  The failure to check for end-of-section following the
+  very last byte in section has been present for many years. 
+datefixed: 2024-02-19
+references: regressiontests/ossfuzz67490/fuzz_srcfiles-5195296927711232
+gitfixid: 
+tarrelease:
+endrec: DW202403-001
+
+
 id: DW202402-003
 fuzzer: hongg
 datereported: 2024-02-18
diff --git a/src/lib/libdwarf/dwarf_line_table_reader_common.h b/src/lib/libdwarf/dwarf_line_table_reader_common.h
@@ -911,6 +911,16 @@ _dwarf_read_line_table_header(Dwarf_Debug dbg,
                     filename_entry_pairs[j].up_first;
                 Dwarf_Unsigned lnform =
                     filename_entry_pairs[j].up_second;
+
+                if (line_ptr >= line_ptr_end) {
+                    free(filename_entry_pairs);
+                    _dwarf_error_string(dbg, err,
+                        DW_DLE_LINE_NUMBER_HEADER_ERROR,
+                        "DW_DLE_LINE_NUMBER_HEADER_ERROR: "
+                        "file name format count too large "
+                        "to be correct. Corrupt DWARF/");
+                    return DW_DLV_ERROR;
+                }
                 switch (lntype) {
                 /* The LLVM LNCT is documented in
                     https://releases.llvm.org/9.0.0/docs
@@ -1064,8 +1074,11 @@ _dwarf_read_line_table_header(Dwarf_Debug dbg,
                 }
                 if (line_ptr > line_ptr_end) {
                     free(filename_entry_pairs);
-                    _dwarf_error(dbg, err,
-                        DW_DLE_LINE_NUMBER_HEADER_ERROR);
+                    _dwarf_error_string(dbg, err,
+                        DW_DLE_LINE_NUMBER_HEADER_ERROR,
+                        "DW_DLE_LINE_NUMBER_HEADER_ERROR: "
+                        "Reading line table header filenames "
+                        "runs off end of section. Corrupt Dwarf");
                     return DW_DLV_ERROR;
                 }
             }
