asan: alpha-vms: buffer overflow in vms_traverse_index

	* vms-lib.c (vms_traverse_index): Sanity check size remaining
	before accessing vms_idx or vms_elfidx.

2 files changed, 9 insertions, 2 deletions

diff --git a/bfd/ChangeLog b/bfd/ChangeLog
index 25cb69f..aae554b 100644
--- a/bfd/ChangeLog
+++ b/bfd/ChangeLog
@@ -1,5 +1,10 @@
 2020-08-03  Alan Modra  <amodra@gmail.com>
 
+	* vms-lib.c (vms_traverse_index): Sanity check size remaining
+	before accessing vms_idx or vms_elfidx.
+
+2020-08-03  Alan Modra  <amodra@gmail.com>
+
 	PR 26330
 	* elf.c (_bfd_elf_get_symtab_upper_bound): Sanity check symbol table
 	size against file size.  Correct LONG_MAX limit check.
diff --git a/bfd/vms-lib.c b/bfd/vms-lib.c
index f000bc2..9379108 100644
--- a/bfd/vms-lib.c
+++ b/bfd/vms-lib.c
@@ -277,7 +277,8 @@ vms_traverse_index (bfd *abfd, unsigned int vbn, struct carsym_mem *cs,
       unsigned int flags;
 
       /* Extract key length.  */
-      if (bfd_libdata (abfd)->ver == LBR_MAJORID)
+      if (bfd_libdata (abfd)->ver == LBR_MAJORID
+	  && offsetof (struct vms_idx, keyname) <= (size_t) (endp - p))
 	{
 	  struct vms_idx *ridx = (struct vms_idx *)p;
 
@@ -288,7 +289,8 @@ vms_traverse_index (bfd *abfd, unsigned int vbn, struct carsym_mem *cs,
 	  flags = 0;
 	  keyname = ridx->keyname;
 	}
-      else if (bfd_libdata (abfd)->ver == LBR_ELFMAJORID)
+      else if (bfd_libdata (abfd)->ver == LBR_ELFMAJORID
+	       && offsetof (struct vms_elfidx, keyname) <= (size_t) (endp - p))
 	{
 	  struct vms_elfidx *ridx = (struct vms_elfidx *)p;