aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorAlan Modra <amodra@gmail.com>2020-03-26 10:49:27 +1030
committerAlan Modra <amodra@gmail.com>2020-03-26 11:02:58 +1030
commitf75fbe8ad2e3d9b34bf1f448a6df328ff361822f (patch)
tree59a87f782ad6c3ba3af0de9bd3adfd824ac39019
parent46b438bb7369a55eefef15cd5d1afbb5c2c5742e (diff)
downloadgdb-f75fbe8ad2e3d9b34bf1f448a6df328ff361822f.zip
gdb-f75fbe8ad2e3d9b34bf1f448a6df328ff361822f.tar.gz
gdb-f75fbe8ad2e3d9b34bf1f448a6df328ff361822f.tar.bz2
alpha-vms: Sanity check ETIR__C_CTL_DFLOC index
I doubt anyone will want to create more than 16M debug location entries. If there is no bound the object format allows for 32-bit indices and of course fuzzers find that and attempt allocation of up to a 16G byte array. The patch also fixes potential integer overflows in calculating the array size. * vms-alpha.c (dst_define_location): Limit size of dst_ptr_offsets array. (_bfd_vms_slurp_object_records): Rename "err" to "ok".
-rw-r--r--bfd/ChangeLog6
-rw-r--r--bfd/vms-alpha.c26
2 files changed, 23 insertions, 9 deletions
diff --git a/bfd/ChangeLog b/bfd/ChangeLog
index cac27e3..b5a2e7d 100644
--- a/bfd/ChangeLog
+++ b/bfd/ChangeLog
@@ -1,3 +1,9 @@
+2020-03-26 Alan Modra <amodra@gmail.com>
+
+ * vms-alpha.c (dst_define_location): Limit size of dst_ptr_offsets
+ array.
+ (_bfd_vms_slurp_object_records): Rename "err" to "ok".
+
2020-03-25 Nick Clifton <nickc@redhat.com>
* cofflink.c (bfd_coff_get_internal_extra_pe_aouthdr): New
diff --git a/bfd/vms-alpha.c b/bfd/vms-alpha.c
index c08d35d..594363b 100644
--- a/bfd/vms-alpha.c
+++ b/bfd/vms-alpha.c
@@ -1553,6 +1553,14 @@ dst_define_location (bfd *abfd, unsigned int loc)
{
vms_debug2 ((4, "dst_define_location (%d)\n", (int)loc));
+ if (loc > 1 << 24)
+ {
+ /* 16M entries ought to be plenty. */
+ bfd_set_error (bfd_error_bad_value);
+ _bfd_error_handler (_("dst_define_location %u too large"), loc);
+ return FALSE;
+ }
+
/* Grow the ptr offset table if necessary. */
if (loc + 1 > PRIV (dst_ptr_offsets_count))
{
@@ -2634,7 +2642,7 @@ _bfd_vms_slurp_eeom (bfd *abfd)
static bfd_boolean
_bfd_vms_slurp_object_records (bfd * abfd)
{
- bfd_boolean err;
+ bfd_boolean ok;
int type;
do
@@ -2651,27 +2659,27 @@ _bfd_vms_slurp_object_records (bfd * abfd)
switch (type)
{
case EOBJ__C_EMH:
- err = _bfd_vms_slurp_ehdr (abfd);
+ ok = _bfd_vms_slurp_ehdr (abfd);
break;
case EOBJ__C_EEOM:
- err = _bfd_vms_slurp_eeom (abfd);
+ ok = _bfd_vms_slurp_eeom (abfd);
break;
case EOBJ__C_EGSD:
- err = _bfd_vms_slurp_egsd (abfd);
+ ok = _bfd_vms_slurp_egsd (abfd);
break;
case EOBJ__C_ETIR:
- err = TRUE; /* _bfd_vms_slurp_etir (abfd); */
+ ok = TRUE; /* _bfd_vms_slurp_etir (abfd); */
break;
case EOBJ__C_EDBG:
- err = _bfd_vms_slurp_edbg (abfd);
+ ok = _bfd_vms_slurp_edbg (abfd);
break;
case EOBJ__C_ETBT:
- err = _bfd_vms_slurp_etbt (abfd);
+ ok = _bfd_vms_slurp_etbt (abfd);
break;
default:
- err = FALSE;
+ ok = FALSE;
}
- if (!err)
+ if (!ok)
{
vms_debug2 ((2, "slurp type %d failed\n", type));
return FALSE;