asan: _bfd_pei_slurp_codeview_record use of uninit value

Fixes some seriously careless code.  bfd_bread return value is
(bfd_size_type)-1 on error.  "if (bfd_bread (...) < 4)" does not check
for an error since bfd_size_type is unsigned.  In any case, I think we
should be reading and checking the requested length.

	* peXXigen.c (_bfd_XXi_slurp_codeview_record): Properly check
	return value of bfd_bread.  Don't read more than requested length.
	Sanity check length.  Properly terminate file name.

2 files changed, 14 insertions, 2 deletions

diff --git a/bfd/ChangeLog b/bfd/ChangeLog
index 4a87b3b..1bf65c2 100644
--- a/bfd/ChangeLog
+++ b/bfd/ChangeLog
@@ -1,5 +1,11 @@
 2020-06-29  Alan Modra  <amodra@gmail.com>
 
+	* peXXigen.c (_bfd_XXi_slurp_codeview_record): Properly check
+	return value of bfd_bread.  Don't read more than requested length.
+	Sanity check length.  Properly terminate file name.
+
+2020-06-29  Alan Modra  <amodra@gmail.com>
+
 	* arc-got.h: Use C style comments.
 	* coff-z80.c: Likewise.
 	* elf32-csky.c: Likewise.
diff --git a/bfd/peXXigen.c b/bfd/peXXigen.c
index b3b6808..5149ef5 100644
--- a/bfd/peXXigen.c
+++ b/bfd/peXXigen.c
@@ -1147,15 +1147,21 @@ CODEVIEW_INFO *
 _bfd_XXi_slurp_codeview_record (bfd * abfd, file_ptr where, unsigned long length, CODEVIEW_INFO *cvinfo)
 {
   char buffer[256+1];
+  bfd_size_type nread;
 
   if (bfd_seek (abfd, where, SEEK_SET) != 0)
     return NULL;
 
-  if (bfd_bread (buffer, 256, abfd) < 4)
+  if (length <= sizeof (CV_INFO_PDB70) && length <= sizeof (CV_INFO_PDB20))
+    return NULL;
+  if (length > 256)
+    length = 256;
+  nread = bfd_bread (buffer, length, abfd);
+  if (length != nread)
     return NULL;
 
   /* Ensure null termination of filename.  */
-  buffer[256] = '\0';
+  memset (buffer + nread, 0, sizeof (buffer) - nread);
 
   cvinfo->CVSignature = H_GET_32 (abfd, buffer);
   cvinfo->Age = 0;