Fix a buffer over-read while dumping functions.

A bogus vlen in metadata could cause offset point beyond CTF section boundary. Found by afl-fuzz. Ok mpi@
2025-01-10 06:47:55 -08:00 · 2019-03-16 16:35:03 +00:00 · 2019-03-16 16:35:03 +00:00 · 7b3efaaaec
commit 7b3efaaaec
parent 9bcbe5a4c7
1 changed files with 4 additions and 1 deletions
--- a/usr.bin/ctfdump/ctfdump.c
+++ b/usr.bin/ctfdump/ctfdump.c
@ -1,4 +1,4 @@
-/*	$OpenBSD: ctfdump.c,v 1.21 2019/03/16 15:34:58 sunil Exp $ */
+/*	$OpenBSD: ctfdump.c,v 1.22 2019/03/16 16:35:03 sunil Exp $ */

 /*
 * Copyright (c) 2016 Martin Pieuchot <mpi@openbsd.org>
@ -476,6 +476,9 @@ ctf_dump_type(struct ctf_header *cth, const char *data, off_t dlen,
 		printf(" returns: %u args: (%u", ctt->ctt_type, *argp);
 		for (i = 1; i < vlen; i++) {
 			argp++;
+			if ((const char *)argp > data + dlen)
+				errx(1, "offset exceeds CTF section");
+
 			printf(", %u", *argp);
 		}
 		printf(")");