[llvm-dwarfdump] - Fix array out of bounds access crash.

author George Rimar <grimar@accesssoftek.com>

Wed, 25 Oct 2017 10:23:49 +0000 (10:23 +0000)

committer George Rimar <grimar@accesssoftek.com>

Wed, 25 Oct 2017 10:23:49 +0000 (10:23 +0000)
author George Rimar <grimar@accesssoftek.com>
Wed, 25 Oct 2017 10:23:49 +0000 (10:23 +0000)
committer George Rimar <grimar@accesssoftek.com>
Wed, 25 Oct 2017 10:23:49 +0000 (10:23 +0000)
diff --git a/include/llvm/DebugInfo/DWARF/DWARFDie.h b/include/llvm/DebugInfo/DWARF/DWARFDie.h

index 9cb067a01298f822825f6dfd7c0419b5dfdf9a8c..75fc5995c5b220b7f75413274ca059b1dc9811ff 100644 (file)
--- a/include/llvm/DebugInfo/DWARF/DWARFDie.h
+++ b/include/llvm/DebugInfo/DWARF/DWARFDie.h
@@ -108,11 +108,7 @@ public:
    ///
    /// \returns a valid DWARFDie instance if this object has children or an
    /// invalid DWARFDie instance if it doesn't.
-  DWARFDie getFirstChild() const {
-    if (isValid() && Die->hasChildren())
-      return DWARFDie(U, Die + 1);
-    return DWARFDie();
-  }
+  DWARFDie getFirstChild() const;
  
    /// Dump the DIE and all of its attributes to the supplied stream.
    ///
diff --git a/include/llvm/DebugInfo/DWARF/DWARFUnit.h b/include/llvm/DebugInfo/DWARF/DWARFUnit.h

index 78f873e9840f5afe85e18c5d37cb574f5d753b01..696299fb3115e539a4be4ab111f126b0c8b4b5fe 100644 (file)
--- a/include/llvm/DebugInfo/DWARF/DWARFUnit.h
+++ b/include/llvm/DebugInfo/DWARF/DWARFUnit.h
@@ -372,6 +372,7 @@ public:
  
    DWARFDie getParent(const DWARFDebugInfoEntry *Die);
    DWARFDie getSibling(const DWARFDebugInfoEntry *Die);
+  DWARFDie getFirstChild(const DWARFDebugInfoEntry *Die);
  
    /// \brief Return the DIE object for a given offset inside the
    /// unit's DIE vector.
diff --git a/lib/DebugInfo/DWARF/DWARFDie.cpp b/lib/DebugInfo/DWARF/DWARFDie.cpp

index a534d3628ef6afb2af76f4ad415157a2d29f599e..d20eabff7f042581dc23afe5fede39b1f1d1abde 100644 (file)
--- a/lib/DebugInfo/DWARF/DWARFDie.cpp
+++ b/lib/DebugInfo/DWARF/DWARFDie.cpp
@@ -511,6 +511,12 @@ DWARFDie DWARFDie::getSibling() const {
    return DWARFDie();
  }
  
+DWARFDie DWARFDie::getFirstChild() const {
+  if (isValid())
+    return U->getFirstChild(Die);
+  return DWARFDie();
+}
+
  iterator_range<DWARFDie::attribute_iterator> DWARFDie::attributes() const {
    return make_range(attribute_iterator(*this, false),
                      attribute_iterator(*this, true));
diff --git a/lib/DebugInfo/DWARF/DWARFUnit.cpp b/lib/DebugInfo/DWARF/DWARFUnit.cpp

index 86451faa79deb6b46031aaa86918de9aa7f2add7..65ab59434947ff01774e57d7523f26f363471c7a 100644 (file)
--- a/lib/DebugInfo/DWARF/DWARFUnit.cpp
+++ b/lib/DebugInfo/DWARF/DWARFUnit.cpp
@@ -450,6 +450,17 @@ DWARFDie DWARFUnit::getSibling(const DWARFDebugInfoEntry *Die) {
    return DWARFDie();
  }
  
+DWARFDie DWARFUnit::getFirstChild(const DWARFDebugInfoEntry *Die) {
+  if (!Die->hasChildren())
+    return DWARFDie();
+
+  // We do not want access out of bounds when parsing corrupted debug data.
+  size_t I = getDIEIndex(Die) + 1;
+  if (I >= DieArray.size())
+    return DWARFDie();
+  return DWARFDie(this, &DieArray[I]);
+}
+
  const DWARFAbbreviationDeclarationSet *DWARFUnit::getAbbreviations() const {
    if (!Abbrevs)
      Abbrevs = Abbrev->getAbbreviationDeclarationSet(AbbrOffset);
diff --git a/test/tools/llvm-dwarfdump/X86/verify_debug_info2.s b/test/tools/llvm-dwarfdump/X86/verify_debug_info2.s

new file mode 100644 (file)

index 0000000..71b9557
--- /dev/null
+++ b/test/tools/llvm-dwarfdump/X86/verify_debug_info2.s
@@ -0,0 +1,42 @@
+# RUN: llvm-mc %s -filetype obj -triple=i686-pc-linux -o %t
+# RUN: not llvm-dwarfdump -v -verify %t 2>&1 | FileCheck %s
+# CHECK: The length for this unit is too large for the .debug_info provided.
+
+## Check we do not crash when trying to parse truncated .debug_info.
+.section  .debug_info,"",@progbits
+  .long 0x1c
+  .value  0x4
+  .long  .Ldebug_abbrev0
+  .byte  0x4
+
+  .uleb128 0x1 # DW_TAG_compile_unit [1] *
+  .long  0     # DW_AT_producer [DW_FORM_strp] ( .debug_str[0x00000000] = "test")
+  .byte  0x4   # DW_AT_language [DW_FORM_data1] (DW_LANG_C_plus_plus)
+  .long  0     # DW_AT_name [DW_FORM_strp] ( .debug_str[0x00000000] = "test")
+  .long  0     # DW_AT_comp_dir [DW_FORM_strp] ( .debug_str[0x00000000] = "test")
+  .long  0     # DW_AT_low_pc [DW_FORM_addr] (0x0000000000000000)
+  .long  0     # DW_AT_high_pc [DW_FORM_data4] (0x00000000)
+
+.section  .debug_abbrev,"",@progbits
+.Ldebug_abbrev0:
+  .uleb128 0x1
+  .uleb128 0x11 # DW_TAG_compile_unit, DW_CHILDREN_yes
+  .byte  0x1
+  .uleb128 0x25 # DW_AT_producer, DW_FORM_strp
+  .uleb128 0xe
+  .uleb128 0x13 # DW_AT_language, DW_FORM_data1
+  .uleb128 0xb
+  .uleb128 0x3  # DW_AT_name, DW_FORM_strp
+  .uleb128 0xe
+  .uleb128 0x1b # DW_AT_comp_dir, DW_FORM_strp
+  .uleb128 0xe
+  .uleb128 0x11 # DW_AT_low_pc, DW_FORM_addr
+  .uleb128 0x1
+  .uleb128 0x12 # DW_AT_high_pc, DW_FORM_data4
+  .uleb128 0x6
+  .byte  0
+  .byte  0
+  .byte  0
+
+.section .debug_str,"MS",@progbits,1
+.string "test"
author	George Rimar <grimar@accesssoftek.com>
	Wed, 25 Oct 2017 10:23:49 +0000 (10:23 +0000)
committer	George Rimar <grimar@accesssoftek.com>
	Wed, 25 Oct 2017 10:23:49 +0000 (10:23 +0000)
include/llvm/DebugInfo/DWARF/DWARFDie.h		patch \| blob \| history
include/llvm/DebugInfo/DWARF/DWARFUnit.h		patch \| blob \| history
lib/DebugInfo/DWARF/DWARFDie.cpp		patch \| blob \| history
lib/DebugInfo/DWARF/DWARFUnit.cpp		patch \| blob \| history
test/tools/llvm-dwarfdump/X86/verify_debug_info2.s	[new file with mode: 0644]	patch \| blob