aboutsummaryrefslogtreecommitdiff
path: root/bfd/vms-alpha.c
diff options
context:
space:
mode:
authorNick Clifton <nickc@redhat.com>2017-06-19 12:31:07 +0100
committerNick Clifton <nickc@redhat.com>2017-06-19 12:31:07 +0100
commit72e84f969481f52daf6741c6bb4d0e92f9668389 (patch)
tree92a0bf7a2384b737565c3115d7d58bca57d84b28 /bfd/vms-alpha.c
parent875ffa3edc5f27f0ad5e3d95d96782832edad00e (diff)
downloadgdb-72e84f969481f52daf6741c6bb4d0e92f9668389.zip
gdb-72e84f969481f52daf6741c6bb4d0e92f9668389.tar.gz
gdb-72e84f969481f52daf6741c6bb4d0e92f9668389.tar.bz2
Fix access violation when disassembling a corrupt VMS binary.
PR 21615 * vms-alpha.c (_bfd_vms_slurp_egsd): Use unsigned int for gsd_size. Check that there are enough bytes remaining to read the type and size of the next egsd. Check that the size of the egsd does not exceed the size of the record.
Diffstat (limited to 'bfd/vms-alpha.c')
-rw-r--r--bfd/vms-alpha.c14
1 files changed, 12 insertions, 2 deletions
diff --git a/bfd/vms-alpha.c b/bfd/vms-alpha.c
index 83b6638..be5c06f 100644
--- a/bfd/vms-alpha.c
+++ b/bfd/vms-alpha.c
@@ -1121,7 +1121,8 @@ add_symbol (bfd *abfd, const unsigned char *ascic)
static bfd_boolean
_bfd_vms_slurp_egsd (bfd *abfd)
{
- int gsd_type, gsd_size;
+ int gsd_type;
+ unsigned int gsd_size;
unsigned char *vms_rec;
unsigned long base_addr;
@@ -1133,7 +1134,7 @@ _bfd_vms_slurp_egsd (bfd *abfd)
/* Calculate base address for each section. */
base_addr = 0L;
- while (PRIV (recrd.rec_size) > 0)
+ while (PRIV (recrd.rec_size) > 4)
{
vms_rec = PRIV (recrd.rec);
@@ -1142,6 +1143,15 @@ _bfd_vms_slurp_egsd (bfd *abfd)
vms_debug2 ((3, "egsd_type %d\n", gsd_type));
+ /* PR 21615: Check for size overflow. */
+ if (PRIV (recrd.rec_size) < gsd_size)
+ {
+ _bfd_error_handler (_("Corrupt EGSD record: size (%#x) is larger than remaining space (%#x)"),
+ gsd_size, PRIV (recrd.rec_size));
+ bfd_set_error (bfd_error_bad_value);
+ return FALSE;
+ }
+
switch (gsd_type)
{
case EGSD__C_PSC: