diff options
author | Alan Modra <amodra@gmail.com> | 2020-02-24 13:19:13 +1030 |
---|---|---|
committer | Alan Modra <amodra@gmail.com> | 2020-02-24 13:21:48 +1030 |
commit | a98c743fdf721a2333220209ca15e147badb55d1 (patch) | |
tree | f5316ed3c706f01401a8564d6bbde4018cbdd63f | |
parent | c893ce360a81bed57b9256f9d065541c2f8175c0 (diff) | |
download | binutils-a98c743fdf721a2333220209ca15e147badb55d1.zip binutils-a98c743fdf721a2333220209ca15e147badb55d1.tar.gz binutils-a98c743fdf721a2333220209ca15e147badb55d1.tar.bz2 |
Re: vms buffer overflows and large memory allocation
The last patch wasn't quite correct. I'd missed the fact that sbm_off
had been updated.
* vms-lib.c (_bfd_vms_lib_archive_p): Correct overflow checks.
-rw-r--r-- | bfd/ChangeLog | 4 | ||||
-rw-r--r-- | bfd/vms-lib.c | 14 |
2 files changed, 12 insertions, 6 deletions
diff --git a/bfd/ChangeLog b/bfd/ChangeLog index 58b560d..eeb042c 100644 --- a/bfd/ChangeLog +++ b/bfd/ChangeLog @@ -1,5 +1,9 @@ 2020-02-24 Alan Modra <amodra@gmail.com> + * vms-lib.c (_bfd_vms_lib_archive_p): Correct overflow checks. + +2020-02-24 Alan Modra <amodra@gmail.com> + * vms-lib.c (struct carsym_mem): Add limit. (vms_add_index): Heed limit. (vms_traverse_index): Catch buffer overflows. Remove outdated fixme. diff --git a/bfd/vms-lib.c b/bfd/vms-lib.c index 3b42857..87f8658 100644 --- a/bfd/vms-lib.c +++ b/bfd/vms-lib.c @@ -627,6 +627,8 @@ _bfd_vms_lib_archive_p (bfd *abfd, enum vms_lib_kind kind) sbm = (struct vms_dcxsbm *) (buf + sbm_off); sbm_sz = bfd_getl16 (sbm->size); sbm_off += sbm_sz; + if (sbm_off > reclen) + goto err; sbmdesc->min_char = sbm->min_char; BFD_ASSERT (sbmdesc->min_char == 0); @@ -639,21 +641,21 @@ _bfd_vms_lib_archive_p (bfd *abfd, enum vms_lib_kind kind) goto err; sbmdesc->flags = (unsigned char *)bfd_alloc (abfd, l); off = bfd_getl16 (sbm->flags); - if (off > reclen - sbm_off - || reclen - sbm_off - off < l) + if (off > sbm_sz + || sbm_sz - off < l) goto err; memcpy (sbmdesc->flags, (bfd_byte *) sbm + off, l); sbmdesc->nodes = (unsigned char *)bfd_alloc (abfd, 2 * sbm_len); off = bfd_getl16 (sbm->nodes); - if (off > reclen - sbm_off - || reclen - sbm_off - off < 2 * sbm_len) + if (off > sbm_sz + || sbm_sz - off < 2 * sbm_len) goto err; memcpy (sbmdesc->nodes, (bfd_byte *) sbm + off, 2 * sbm_len); off = bfd_getl16 (sbm->next); if (off != 0) { - if (off > reclen - sbm_off - || reclen - sbm_off - off < 2 * sbm_len) + if (off > sbm_sz + || sbm_sz - off < 2 * sbm_len) goto err; /* Read the 'next' array. */ sbmdesc->next = (unsigned short *) bfd_alloc (abfd, 2 * sbm_len); |