asan: aout: heap buffer overflow

	* aoutx.h (aout_get_external_symbols): Sanity check before writing
	zero index entry.  Remove outdated comment.
	* pdp11.c (aout_get_external_symbols): Likewise.

2 files changed, 4 insertions, 6 deletions

diff --git a/bfd/aoutx.h b/bfd/aoutx.h
index ea09646..61d8e0c 100644
--- a/bfd/aoutx.h
+++ b/bfd/aoutx.h
@@ -1353,8 +1353,6 @@ aout_get_external_symbols (bfd *abfd)
 
 	  if (stringsize >= BYTES_IN_WORD)
 	    {
-	      /* Keep the string count in the buffer for convenience
-		 when indexing with e_strx.  */
 	      amt = stringsize - BYTES_IN_WORD;
 	      if (bfd_bread (strings + BYTES_IN_WORD, amt, abfd) != amt)
 		{
@@ -1364,7 +1362,8 @@ aout_get_external_symbols (bfd *abfd)
 	    }
 	}
       /* Ensure that a zero index yields an empty string.  */
-      memset (strings, 0, BYTES_IN_WORD);
+      if (stringsize >= BYTES_IN_WORD)
+	memset (strings, 0, BYTES_IN_WORD);
 
       /* Ensure that the string buffer is NUL terminated.  */
       strings[stringsize] = 0;
diff --git a/bfd/pdp11.c b/bfd/pdp11.c
index 6429b43..280f5cd 100644
--- a/bfd/pdp11.c
+++ b/bfd/pdp11.c
@@ -1333,8 +1333,6 @@ aout_get_external_symbols (bfd *abfd)
 
 	  if (stringsize >= BYTES_IN_LONG)
 	    {
-	      /* Keep the string count in the buffer for convenience
-		 when indexing with e_strx.  */
 	      amt = stringsize - BYTES_IN_LONG;
 	      if (bfd_bread (strings + BYTES_IN_LONG, amt, abfd) != amt)
 		{
@@ -1344,7 +1342,8 @@ aout_get_external_symbols (bfd *abfd)
 	    }
 	}
       /* Ensure that a zero index yields an empty string.  */
-      memset (strings, 0, BYTES_IN_LONG);
+      if (stringsize >= BYTES_IN_WORD)
+	memset (strings, 0, BYTES_IN_LONG);
 
       /* Ensure that the string buffer is NUL terminated.  */
       strings[stringsize] = 0;