From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <gdb-return-21494-listarch-gdb=sources.redhat.com@sources.redhat.com>
Received: (qmail 876 invoked by alias); 13 May 2005 15:19:03 -0000
Mailing-List: contact gdb-help@sources.redhat.com; run by ezmlm
Precedence: bulk
List-Subscribe: <mailto:gdb-subscribe@sources.redhat.com>
List-Archive: <http://sources.redhat.com/ml/gdb/>
List-Post: <mailto:gdb@sources.redhat.com>
List-Help: <mailto:gdb-help@sources.redhat.com>, <http://sources.redhat.com/ml/#faqs>
Sender: gdb-owner@sources.redhat.com
Received: (qmail 503 invoked from network); 13 May 2005 15:18:48 -0000
Received: from unknown (HELO palrel10.hp.com) (156.153.255.245)
  by sourceware.org with SMTP; 13 May 2005 15:18:48 -0000
Received: from cacexg11.americas.cpqcorp.net (cacexg11.americas.cpqcorp.net [16.92.1.67])
	by palrel10.hp.com (Postfix) with ESMTP id 628EC13BE
	for <gdb@sources.redhat.com>; Fri, 13 May 2005 08:18:48 -0700 (PDT)
Received: from cacexc04.americas.cpqcorp.net ([16.92.1.26]) by cacexg11.americas.cpqcorp.net with Microsoft SMTPSVC(6.0.3790.211);
	 Fri, 13 May 2005 08:18:48 -0700
Content-class: urn:content-classes:message
MIME-Version: 1.0
Content-Type: text/plain;
	charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
Subject: Is it possible to overflow baton->size in dwarf_mark_symbols_computed() in dwarf2read.c?
Date: Fri, 13 May 2005 15:19:00 -0000
Message-ID: <B6C7F31B85669143825614FC8FE64929040F79D1@cacexc04.americas.cpqcorp.net>
From: "Cuthbertson, Reva D." <reva_cuthbertson@hp.com>
To: <gdb@sources.redhat.com>
X-OriginalArrivalTime: 13 May 2005 15:18:48.0257 (UTC) FILETIME=[0FA9F310:01C557CF]
X-SW-Source: 2005-05/txt/msg00149.txt.bz2

Hello,

I had a question regarding the following assignment in
dwarf2_mark_symbol_computed() in dwarf2read.c:

baton->size =3D dwarf2_per_objfile->loc_size - DW_UNSND (attr);

The field "loc_size" in dwarf2_per_objfile is declared to be an unsigned
integer and attr.u.unsnd (expansion of DW_UNSND (attr)) is declared to
be an unsigned long but the "size" field in dwarf2_loclist_baton and
dwarf2_locexpr_baton defined in dwarf2loc.h is defined to be an unsigned
short.  Is it possible to overflow baton->size with the above
calculation?

If it is possible, then in find_location_expression() in dwarf2loc.c,
there may be a problem processing a location list entry as baton->size
is used to=20
determine the end of that location list entry.  I think this overflow
could
happen for a program with a large .debug_loc section.

Do you believe that this is a problem?

Thanks!

Reva Cuthbertson
reva.cuthbertson@hp.com