windres: buffer overflow

bin_to_res_menuexitems can be called with random data offsets (and thus remaining lengths), confusing code that expects 4-byte aligned data. Prevent an item length adjustment for alignment exceeding the remaining length and then overflowing.
author: Alan Modra <amodra@gmail.com> 2025-05-08 09:20:23 +0930
committer: Alan Modra <amodra@gmail.com> 2025-05-08 09:26:56 +0930
commit: 4aaf663ded55a029f02f83952c0e96e6b1dd4e8d (patch)
tree: a88ec2b12d94971da0f499df2f77b347f2ea6ff4
parent: 76fd7455e3eb479690fc23a70555db178d4d3a84 (diff)
download: binutils-4aaf663ded55a029f02f83952c0e96e6b1dd4e8d.zip
binutils-4aaf663ded55a029f02f83952c0e96e6b1dd4e8d.tar.gz
binutils-4aaf663ded55a029f02f83952c0e96e6b1dd4e8d.tar.bz2
1 files changed, 5 insertions, 0 deletions
diff --git a/binutils/resbin.c b/binutils/resbin.c
index 01046ec..3bce84f 100644
--- a/binutils/resbin.c
+++ b/binutils/resbin.c
@@ -433,6 +433,11 @@ bin_to_res_menuexitems (windres_bfd *wrbfd, const bfd_byte *data,
 
       itemlen = 14 + slen * 2 + 2;
       itemlen = (itemlen + 3) &~ 3;
+      /* Don't allow rounding up of itemlen to exceed length.  This
+	 is an anti-fuzzer measure to cope with unexpected offsets and
+	 lengths.   */
+      if (itemlen > length)
+	itemlen = length;
 
       if ((flags & 1) == 0)
 	{
author	Alan Modra <amodra@gmail.com>	2025-05-08 09:20:23 +0930
committer	Alan Modra <amodra@gmail.com>	2025-05-08 09:26:56 +0930
commit	4aaf663ded55a029f02f83952c0e96e6b1dd4e8d (patch)
tree	a88ec2b12d94971da0f499df2f77b347f2ea6ff4
parent	76fd7455e3eb479690fc23a70555db178d4d3a84 (diff)
download	binutils-4aaf663ded55a029f02f83952c0e96e6b1dd4e8d.zip binutils-4aaf663ded55a029f02f83952c0e96e6b1dd4e8d.tar.gz binutils-4aaf663ded55a029f02f83952c0e96e6b1dd4e8d.tar.bz2