From 33d1369f183f1c276e3f0f52b5573fb2f5843b1c Mon Sep 17 00:00:00 2001 From: Alan Modra Date: Wed, 1 Jul 2020 16:54:50 +0930 Subject: PR26188, buff overflow in coff_find_nearest_line_with_names PR 26188 * coffgen.c (coff_find_nearest_line_with_names): Sanity check raw syment index before dereferencing. --- bfd/ChangeLog | 6 ++++++ bfd/coffgen.c | 8 ++++++-- 2 files changed, 12 insertions(+), 2 deletions(-) diff --git a/bfd/ChangeLog b/bfd/ChangeLog index fc6042e..b91df99 100644 --- a/bfd/ChangeLog +++ b/bfd/ChangeLog @@ -1,5 +1,11 @@ 2020-07-01 Alan Modra + PR 26188 + * coffgen.c (coff_find_nearest_line_with_names): Sanity check + raw syment index before dereferencing. + +2020-07-01 Alan Modra + * elf32-i386.c (elf_backend_object_p): Undef for vxworks. 2020-07-01 Alan Modra diff --git a/bfd/coffgen.c b/bfd/coffgen.c index 94589b4..3291b69 100644 --- a/bfd/coffgen.c +++ b/bfd/coffgen.c @@ -2435,11 +2435,15 @@ coff_find_nearest_line_with_names (bfd *abfd, /* In XCOFF a debugging symbol can follow the function symbol. */ - if (s->u.syment.n_scnum == N_DEBUG) + if (((size_t) ((char *) s - (char *) obj_raw_syments (abfd)) + < obj_raw_syment_count (abfd) * sizeof (*s)) + && s->u.syment.n_scnum == N_DEBUG) s = s + 1 + s->u.syment.n_numaux; /* S should now point to the .bf of the function. */ - if (s->u.syment.n_numaux) + if (((size_t) ((char *) s - (char *) obj_raw_syments (abfd)) + < obj_raw_syment_count (abfd) * sizeof (*s)) + && s->u.syment.n_numaux) { /* The linenumber is stored in the auxent. */ union internal_auxent *a = &((s + 1)->u.auxent); -- cgit v1.1