[llvm-dwarfdump] - Fix array out of bounds access crash.

This fixes possible out of bound access in DWARFDie::getFirstChild() which might happen when .debug_info section is corrupted, like shown in testcase. Differential revision: https://reviews.llvm.org/D39185 llvm-svn: 316566
author: George Rimar <grimar@accesssoftek.com> 2017-10-25 10:23:49 +0000
committer: George Rimar <grimar@accesssoftek.com> 2017-10-25 10:23:49 +0000
commit: 0be860f695e30b227e3358c182dd367026e6c91c (patch)
tree: 562e2d39a209b384736552cae50126170a9cb424 /llvm
parent: 90bbcfd3508e6e5596ec15e46c0f3946bd509424 (diff)
download: bcm5719-llvm-0be860f695e30b227e3358c182dd367026e6c91c.tar.gz
bcm5719-llvm-0be860f695e30b227e3358c182dd367026e6c91c.zip
5 files changed, 61 insertions, 5 deletions
diff --git a/llvm/include/llvm/DebugInfo/DWARF/DWARFDie.h b/llvm/include/llvm/DebugInfo/DWARF/DWARFDie.h
index 9cb067a0129..75fc5995c5b 100644
--- a/llvm/include/llvm/DebugInfo/DWARF/DWARFDie.h
+++ b/llvm/include/llvm/DebugInfo/DWARF/DWARFDie.h
@@ -108,11 +108,7 @@ public:
   ///
   /// \returns a valid DWARFDie instance if this object has children or an
   /// invalid DWARFDie instance if it doesn't.
-  DWARFDie getFirstChild() const {
-    if (isValid() && Die->hasChildren())
-      return DWARFDie(U, Die + 1);
-    return DWARFDie();
-  }
+  DWARFDie getFirstChild() const;
 
   /// Dump the DIE and all of its attributes to the supplied stream.
   ///
diff --git a/llvm/include/llvm/DebugInfo/DWARF/DWARFUnit.h b/llvm/include/llvm/DebugInfo/DWARF/DWARFUnit.h
index 78f873e9840..696299fb311 100644
--- a/llvm/include/llvm/DebugInfo/DWARF/DWARFUnit.h
+++ b/llvm/include/llvm/DebugInfo/DWARF/DWARFUnit.h
@@ -372,6 +372,7 @@ public:
 
   DWARFDie getParent(const DWARFDebugInfoEntry *Die);
   DWARFDie getSibling(const DWARFDebugInfoEntry *Die);
+  DWARFDie getFirstChild(const DWARFDebugInfoEntry *Die);
 
   /// \brief Return the DIE object for a given offset inside the
   /// unit's DIE vector.
diff --git a/llvm/lib/DebugInfo/DWARF/DWARFDie.cpp b/llvm/lib/DebugInfo/DWARF/DWARFDie.cpp
index a534d3628ef..d20eabff7f0 100644
--- a/llvm/lib/DebugInfo/DWARF/DWARFDie.cpp
+++ b/llvm/lib/DebugInfo/DWARF/DWARFDie.cpp
@@ -511,6 +511,12 @@ DWARFDie DWARFDie::getSibling() const {
   return DWARFDie();
 }
 
+DWARFDie DWARFDie::getFirstChild() const {
+  if (isValid())
+    return U->getFirstChild(Die);
+  return DWARFDie();
+}
+
 iterator_range<DWARFDie::attribute_iterator> DWARFDie::attributes() const {
   return make_range(attribute_iterator(*this, false),
                     attribute_iterator(*this, true));
diff --git a/llvm/lib/DebugInfo/DWARF/DWARFUnit.cpp b/llvm/lib/DebugInfo/DWARF/DWARFUnit.cpp
index 86451faa79d..65ab5943494 100644
--- a/llvm/lib/DebugInfo/DWARF/DWARFUnit.cpp
+++ b/llvm/lib/DebugInfo/DWARF/DWARFUnit.cpp
@@ -450,6 +450,17 @@ DWARFDie DWARFUnit::getSibling(const DWARFDebugInfoEntry *Die) {
   return DWARFDie();
 }
 
+DWARFDie DWARFUnit::getFirstChild(const DWARFDebugInfoEntry *Die) {
+  if (!Die->hasChildren())
+    return DWARFDie();
+
+  // We do not want access out of bounds when parsing corrupted debug data.
+  size_t I = getDIEIndex(Die) + 1;
+  if (I >= DieArray.size())
+    return DWARFDie();
+  return DWARFDie(this, &DieArray[I]);
+}
+
 const DWARFAbbreviationDeclarationSet *DWARFUnit::getAbbreviations() const {
   if (!Abbrevs)
     Abbrevs = Abbrev->getAbbreviationDeclarationSet(AbbrOffset);
diff --git a/llvm/test/tools/llvm-dwarfdump/X86/verify_debug_info2.s b/llvm/test/tools/llvm-dwarfdump/X86/verify_debug_info2.s
new file mode 100644
index 00000000000..71b95579839
--- /dev/null
+++ b/llvm/test/tools/llvm-dwarfdump/X86/verify_debug_info2.s
@@ -0,0 +1,42 @@
+# RUN: llvm-mc %s -filetype obj -triple=i686-pc-linux -o %t
+# RUN: not llvm-dwarfdump -v -verify %t 2>&1 | FileCheck %s
+# CHECK: The length for this unit is too large for the .debug_info provided.
+
+## Check we do not crash when trying to parse truncated .debug_info.
+.section  .debug_info,"",@progbits
+  .long 0x1c
+  .value  0x4
+  .long  .Ldebug_abbrev0
+  .byte  0x4
+
+  .uleb128 0x1 # DW_TAG_compile_unit [1] *
+  .long  0     # DW_AT_producer [DW_FORM_strp] ( .debug_str[0x00000000] = "test")
+  .byte  0x4   # DW_AT_language [DW_FORM_data1] (DW_LANG_C_plus_plus)
+  .long  0     # DW_AT_name [DW_FORM_strp] ( .debug_str[0x00000000] = "test")
+  .long  0     # DW_AT_comp_dir [DW_FORM_strp] ( .debug_str[0x00000000] = "test")
+  .long  0     # DW_AT_low_pc [DW_FORM_addr] (0x0000000000000000)
+  .long  0     # DW_AT_high_pc [DW_FORM_data4] (0x00000000)
+
+.section  .debug_abbrev,"",@progbits
+.Ldebug_abbrev0:
+  .uleb128 0x1
+  .uleb128 0x11 # DW_TAG_compile_unit, DW_CHILDREN_yes
+  .byte  0x1
+  .uleb128 0x25 # DW_AT_producer, DW_FORM_strp
+  .uleb128 0xe
+  .uleb128 0x13 # DW_AT_language, DW_FORM_data1
+  .uleb128 0xb
+  .uleb128 0x3  # DW_AT_name, DW_FORM_strp
+  .uleb128 0xe
+  .uleb128 0x1b # DW_AT_comp_dir, DW_FORM_strp
+  .uleb128 0xe
+  .uleb128 0x11 # DW_AT_low_pc, DW_FORM_addr
+  .uleb128 0x1
+  .uleb128 0x12 # DW_AT_high_pc, DW_FORM_data4
+  .uleb128 0x6
+  .byte  0
+  .byte  0
+  .byte  0
+
+.section .debug_str,"MS",@progbits,1
+.string "test"
author	George Rimar <grimar@accesssoftek.com>	2017-10-25 10:23:49 +0000
committer	George Rimar <grimar@accesssoftek.com>	2017-10-25 10:23:49 +0000
commit	0be860f695e30b227e3358c182dd367026e6c91c (patch)
tree	562e2d39a209b384736552cae50126170a9cb424 /llvm
parent	90bbcfd3508e6e5596ec15e46c0f3946bd509424 (diff)
download	bcm5719-llvm-0be860f695e30b227e3358c182dd367026e6c91c.tar.gz bcm5719-llvm-0be860f695e30b227e3358c182dd367026e6c91c.zip