aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorAlan Modra <amodra@gmail.com>2020-02-24 13:19:13 +1030
committerAlan Modra <amodra@gmail.com>2020-02-24 13:21:48 +1030
commita98c743fdf721a2333220209ca15e147badb55d1 (patch)
treef5316ed3c706f01401a8564d6bbde4018cbdd63f
parentc893ce360a81bed57b9256f9d065541c2f8175c0 (diff)
downloadbinutils-a98c743fdf721a2333220209ca15e147badb55d1.zip
binutils-a98c743fdf721a2333220209ca15e147badb55d1.tar.gz
binutils-a98c743fdf721a2333220209ca15e147badb55d1.tar.bz2
Re: vms buffer overflows and large memory allocation
The last patch wasn't quite correct. I'd missed the fact that sbm_off had been updated. * vms-lib.c (_bfd_vms_lib_archive_p): Correct overflow checks.
-rw-r--r--bfd/ChangeLog4
-rw-r--r--bfd/vms-lib.c14
2 files changed, 12 insertions, 6 deletions
diff --git a/bfd/ChangeLog b/bfd/ChangeLog
index 58b560d..eeb042c 100644
--- a/bfd/ChangeLog
+++ b/bfd/ChangeLog
@@ -1,5 +1,9 @@
2020-02-24 Alan Modra <amodra@gmail.com>
+ * vms-lib.c (_bfd_vms_lib_archive_p): Correct overflow checks.
+
+2020-02-24 Alan Modra <amodra@gmail.com>
+
* vms-lib.c (struct carsym_mem): Add limit.
(vms_add_index): Heed limit.
(vms_traverse_index): Catch buffer overflows. Remove outdated fixme.
diff --git a/bfd/vms-lib.c b/bfd/vms-lib.c
index 3b42857..87f8658 100644
--- a/bfd/vms-lib.c
+++ b/bfd/vms-lib.c
@@ -627,6 +627,8 @@ _bfd_vms_lib_archive_p (bfd *abfd, enum vms_lib_kind kind)
sbm = (struct vms_dcxsbm *) (buf + sbm_off);
sbm_sz = bfd_getl16 (sbm->size);
sbm_off += sbm_sz;
+ if (sbm_off > reclen)
+ goto err;
sbmdesc->min_char = sbm->min_char;
BFD_ASSERT (sbmdesc->min_char == 0);
@@ -639,21 +641,21 @@ _bfd_vms_lib_archive_p (bfd *abfd, enum vms_lib_kind kind)
goto err;
sbmdesc->flags = (unsigned char *)bfd_alloc (abfd, l);
off = bfd_getl16 (sbm->flags);
- if (off > reclen - sbm_off
- || reclen - sbm_off - off < l)
+ if (off > sbm_sz
+ || sbm_sz - off < l)
goto err;
memcpy (sbmdesc->flags, (bfd_byte *) sbm + off, l);
sbmdesc->nodes = (unsigned char *)bfd_alloc (abfd, 2 * sbm_len);
off = bfd_getl16 (sbm->nodes);
- if (off > reclen - sbm_off
- || reclen - sbm_off - off < 2 * sbm_len)
+ if (off > sbm_sz
+ || sbm_sz - off < 2 * sbm_len)
goto err;
memcpy (sbmdesc->nodes, (bfd_byte *) sbm + off, 2 * sbm_len);
off = bfd_getl16 (sbm->next);
if (off != 0)
{
- if (off > reclen - sbm_off
- || reclen - sbm_off - off < 2 * sbm_len)
+ if (off > sbm_sz
+ || sbm_sz - off < 2 * sbm_len)
goto err;
/* Read the 'next' array. */
sbmdesc->next = (unsigned short *) bfd_alloc (abfd, 2 * sbm_len);