From 7adc0a8174f1233f6d92edd0671c18c9870e64e7 Mon Sep 17 00:00:00 2001 From: Nick Clifton Date: Wed, 21 Jun 2017 15:21:11 +0100 Subject: Fix address violation parsing a corrupt Alpha VMS binary file. PR binutils/21639 * vms-misc.c (_bfd_vms_save_sized_string): Use unsigned int as type of the size parameter. (_bfd_vms_save_counted_string): Add second parameter - the maximum length of the counted string. * vms.h (_bfd_vms_save_sized_string): Update prototype. (_bfd_vms_save_counted_string): Likewise. * vms-alpha.c (_bfd_vms_slurp_eisd): Update calls to _bfd_vms_save_counted_string. (_bfd_vms_slurp_ehdr): Likewise. (_bfd_vms_slurp_egsd): Likewise. (Parse_module): Likewise. --- bfd/vms-misc.c | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) (limited to 'bfd/vms-misc.c') diff --git a/bfd/vms-misc.c b/bfd/vms-misc.c index 40c6cc2..7497f02 100644 --- a/bfd/vms-misc.c +++ b/bfd/vms-misc.c @@ -139,7 +139,7 @@ _bfd_hexdump (int level, unsigned char *ptr, int size, int offset) size is string size (size of record) */ char * -_bfd_vms_save_sized_string (unsigned char *str, int size) +_bfd_vms_save_sized_string (unsigned char *str, unsigned int size) { char *newstr = bfd_malloc ((bfd_size_type) size + 1); @@ -155,10 +155,12 @@ _bfd_vms_save_sized_string (unsigned char *str, int size) ptr points to size byte on entry */ char * -_bfd_vms_save_counted_string (unsigned char *ptr) +_bfd_vms_save_counted_string (unsigned char *ptr, unsigned int maxlen) { - int len = *ptr++; + unsigned int len = *ptr++; + if (len > maxlen) + return NULL; return _bfd_vms_save_sized_string (ptr, len); } -- cgit v1.1