Description: Fix CVE-2017-9998
Origin: upstream, https://sourceforge.net/p/libdwarf/code/ci/e91681e8841291f57386f26a90897fd1dcf92a6e/
Bug: https://www.prevanders.net/dwarfbug.html#DW201706-001
Bug-Debian: https://bugs.debian.org/866968
Last-Update: 2017-07-08
---
This patch header follows DEP-3: http://dep.debian.net/deps/dep3/
--- a/libdwarf/dwarf_query.c
+++ b/libdwarf/dwarf_query.c
@@ -524,11 +524,17 @@
         if (res != DW_DLV_OK) {
             return res;
         }
-        if ((info_ptr + value_size) > die_info_end) {
-            /*  Something badly wrong. We point past end
-                of debug_info or debug_types . */
-            _dwarf_error(dbg,error,DW_DLE_DIE_ABBREV_BAD);
-            return DW_DLV_ERROR;
+        {
+            /* ptrdiff_t is signed type, so use DW signed type */
+            Dwarf_Signed len = die_info_end - info_ptr;
+            if (len < 0 || (value_size > ((Dwarf_Unsigned)len))) {
+                /*  Something badly wrong. We point past end
+                    of debug_info or debug_types or a
+                    section is unreasonably sized or we are
+                    pointing to two different sections? */
+                _dwarf_error(dbg,error,DW_DLE_DIE_ABBREV_BAD);
+                return DW_DLV_ERROR;
+            }
         }
         info_ptr+= value_size;
     } while (curr_attr != 0 || curr_attr_form != 0);
@@ -679,7 +685,7 @@
         but with a base. */
     sectionsize = dbg->de_debug_addr.dss_size;
     sectionend = sectionstart + sectionsize;
-    if ((addr_offset + context->cc_address_size) > sectionsize) {
+    if (addr_offset > (sectionsize - context->cc_address_size)) {
         _dwarf_error(dbg, error, DW_DLE_ATTR_FORM_SIZE_BAD);
         return (DW_DLV_ERROR);
     }