Skip to content

Fix heap-buffer-overflow in DWARF v5 line info parser#493

Merged
EricRahm merged 2 commits intogoogle:mainfrom
sharadboni:fix-dwarf-v5-directory-index-oob
Apr 24, 2026
Merged

Fix heap-buffer-overflow in DWARF v5 line info parser#493
EricRahm merged 2 commits intogoogle:mainfrom
sharadboni:fix-dwarf-v5-directory-index-oob

Conversation

@sharadboni
Copy link
Copy Markdown
Contributor

@sharadboni sharadboni commented Apr 15, 2026

Summary

The DWARF v5 file name parsing path in LineInfoReader (src/dwarf/line_info.cc) does not validate that directory_index is within the bounds of include_directories_ before pushing the file name entry. The DWARF v4 code path already has this check (line 149), but the v5 path is missing it.

When GetExpandedFilename() later uses the unchecked directory_index to look up include_directories_[directory_index], a crafted ELF file with an out-of-range directory_index triggers a heap-buffer-overflow read.

Fix

Add the same bounds check that exists in the v4 path:

if (file_name.directory_index >= include_directories_.size()) {
  THROW("directory index out of range");
}

This is inserted right before filenames_.push_back(file_name) in the v5 parsing loop (after all entry format fields have been read), so the index is fully resolved before validation.

Reproduction

A minimal crafted ELF with a DWARF v5 .debug_line section containing a directory_index larger than the directory count triggers the bug. Under AddressSanitizer:

==PID==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x...
READ of size 16 at 0x...
    #0 bloaty::dwarf::LineInfoReader::GetExpandedFilename(...)

Test plan

  • Verified the fix rejects the crafted PoC with "directory index out of range" instead of crashing
  • Verified normal ELF binaries with valid DWARF v5 line info still parse correctly

@sharadboni
Fix heap-buffer-overflow in DWARF v5 line info parser
59ca97b 
Add bounds check for directory_index in the DWARF v5 file name parsing
path, matching the existing validation in the DWARF v4 path. Without
this check, a crafted ELF with an out-of-range directory_index causes
an out-of-bounds read in GetExpandedFilename().
@google-cla
Copy link
Copy Markdown

google-cla Bot commented Apr 15, 2026

Thanks for your pull request! It looks like this may be your first contribution to a Google open source project. Before we can look at your pull request, you'll need to sign a Contributor License Agreement (CLA).

View this failed invocation of the CLA check for more information.

For the most up to date status, view the checks section at the bottom of the pull request.

@sharadboni sharadboni closed this Apr 15, 2026
@sharadboni sharadboni reopened this Apr 15, 2026
@sharadboni
Copy link
Copy Markdown
Contributor Author

sharadboni commented Apr 15, 2026

@EricRahm Could you review this security fix when you get a chance? It adds a missing bounds check in the DWARF v5 line info parser that allows a heap-buffer-overflow via crafted ELF files.

@EricRahm
Copy link
Copy Markdown
Collaborator

EricRahm commented Apr 24, 2026

Thanks @sharadboni! Sorry for the delay, lets get this landed. If possible it'd be great to get a follow up adding a lit test for this.

@EricRahm EricRahm merged commit 04bca29 into google:main Apr 24, 2026
10 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@sharadboni @EricRahm