diff options
author | Alan Modra <amodra@gmail.com> | 2020-07-01 16:54:50 +0930 |
---|---|---|
committer | Alan Modra <amodra@gmail.com> | 2020-07-01 21:18:11 +0930 |
commit | 33d1369f183f1c276e3f0f52b5573fb2f5843b1c (patch) | |
tree | 6c2b9f099f3c99cf8a95c07922133d4b99fc9079 /bfd/coffgen.c | |
parent | 9cdf98207c5bab668e3734d11d5a24d6b5375b54 (diff) | |
download | gdb-33d1369f183f1c276e3f0f52b5573fb2f5843b1c.zip gdb-33d1369f183f1c276e3f0f52b5573fb2f5843b1c.tar.gz gdb-33d1369f183f1c276e3f0f52b5573fb2f5843b1c.tar.bz2 |
PR26188, buff overflow in coff_find_nearest_line_with_names
PR 26188
* coffgen.c (coff_find_nearest_line_with_names): Sanity check
raw syment index before dereferencing.
Diffstat (limited to 'bfd/coffgen.c')
-rw-r--r-- | bfd/coffgen.c | 8 |
1 files changed, 6 insertions, 2 deletions
diff --git a/bfd/coffgen.c b/bfd/coffgen.c index 94589b4..3291b69 100644 --- a/bfd/coffgen.c +++ b/bfd/coffgen.c @@ -2435,11 +2435,15 @@ coff_find_nearest_line_with_names (bfd *abfd, /* In XCOFF a debugging symbol can follow the function symbol. */ - if (s->u.syment.n_scnum == N_DEBUG) + if (((size_t) ((char *) s - (char *) obj_raw_syments (abfd)) + < obj_raw_syment_count (abfd) * sizeof (*s)) + && s->u.syment.n_scnum == N_DEBUG) s = s + 1 + s->u.syment.n_numaux; /* S should now point to the .bf of the function. */ - if (s->u.syment.n_numaux) + if (((size_t) ((char *) s - (char *) obj_raw_syments (abfd)) + < obj_raw_syment_count (abfd) * sizeof (*s)) + && s->u.syment.n_numaux) { /* The linenumber is stored in the auxent. */ union internal_auxent *a = &((s + 1)->u.auxent); |