From 9d9e2a340ba50670f406afa314acaa9a2c34ec64 Mon Sep 17 00:00:00 2001
From: Alan Modra <amodra@gmail.com>
Date: Tue, 18 May 2021 23:39:35 +0930
Subject: PR27879, stack-buffer-overflow on sysdump

	PR 27879
	* sysdump.c (getBARRAY): Sanity check size against max.
	(getINT): Avoid UB shift left.
---
 binutils/sysdump.c | 13 ++++++++-----
 1 file changed, 8 insertions(+), 5 deletions(-)

(limited to 'binutils/sysdump.c')

diff --git a/binutils/sysdump.c b/binutils/sysdump.c
index 8993152..35796e8 100644
--- a/binutils/sysdump.c
+++ b/binutils/sysdump.c
@@ -131,19 +131,21 @@ fillup (unsigned char *ptr)
 }
 
 static barray
-getBARRAY (unsigned char *ptr, int *idx, int dsize ATTRIBUTE_UNUSED,
-	   int max ATTRIBUTE_UNUSED)
+getBARRAY (unsigned char *ptr, int *idx, int dsize ATTRIBUTE_UNUSED, int max)
 {
   barray res;
   int i;
   int byte = *idx / 8;
-  int size = ptr[byte++];
+  int size = 0;
+
+  if (byte < max)
+    size = ptr[byte++];
 
   res.len = size;
   res.data = (unsigned char *) xmalloc (size);
 
   for (i = 0; i < size; i++)
-    res.data[i] = ptr[byte++];
+    res.data[i] = byte < max ? ptr[byte++] : 0;
 
   return res;
 }
@@ -179,7 +181,8 @@ getINT (unsigned char *ptr, int *idx, int size, int max)
       n = (ptr[byte + 0] << 8) + ptr[byte + 1];
       break;
     case 4:
-      n = (ptr[byte + 0] << 24) + (ptr[byte + 1] << 16) + (ptr[byte + 2] << 8) + (ptr[byte + 3]);
+      n = (((unsigned) ptr[byte + 0] << 24) + (ptr[byte + 1] << 16)
+	   + (ptr[byte + 2] << 8) + (ptr[byte + 3]));
       break;
     default:
       fatal (_("Unsupported read size: %d"), size);
-- 
cgit v1.1