Re: vms buffer overflows and large memory allocation

git commit c893ce360a changed buffer management, in the process
introducing a bug on an error return path.

	* vms-lib.c (vms_lib_read_index): Release correct buffer.

1 files changed, 4 insertions, 4 deletions

diff --git a/bfd/vms-lib.c b/bfd/vms-lib.c
index 87f8658..29e213f8 100644
--- a/bfd/vms-lib.c
+++ b/bfd/vms-lib.c
@@ -416,6 +416,7 @@ vms_lib_read_index (bfd *abfd, int idx, unsigned int *nbrel)
   unsigned int vbn;
   ufile_ptr filesize;
   size_t amt;
+  struct carsym *csbuf;
   struct carsym_mem csm;
 
   /* Read index desription.  */
@@ -447,7 +448,7 @@ vms_lib_read_index (bfd *abfd, int idx, unsigned int *nbrel)
     csm.max = csm.limit;
   if (_bfd_mul_overflow (csm.max, sizeof (struct carsym), &amt))
     return NULL;
-  csm.idx = bfd_alloc (abfd, amt);
+  csm.idx = csbuf = bfd_alloc (abfd, amt);
   if (csm.idx == NULL)
     return NULL;
 
@@ -455,12 +456,12 @@ vms_lib_read_index (bfd *abfd, int idx, unsigned int *nbrel)
   vbn = bfd_getl32 (idd.vbn);
   if (vbn != 0 && !vms_traverse_index (abfd, vbn, &csm))
     {
-      if (csm.realloced && csm.idx != NULL)
+      if (csm.realloced)
 	free (csm.idx);
 
       /* Note: in case of error, we can free what was allocated on the
 	 BFD's objalloc.  */
-      bfd_release (abfd, csm.idx);
+      bfd_release (abfd, csbuf);
       return NULL;
     }
 
@@ -468,7 +469,6 @@ vms_lib_read_index (bfd *abfd, int idx, unsigned int *nbrel)
     {
       /* There are more entries than the first estimate.  Allocate on
 	 the BFD's objalloc.  */
-      struct carsym *csbuf;
       csbuf = bfd_alloc (abfd, csm.nbr * sizeof (struct carsym));
       if (csbuf == NULL)
 	return NULL;