This is the mail archive of the
binutils@sourceware.org
mailing list for the binutils project.
Re: vms buffer overflows and large memory allocation
- From: Alan Modra <amodra at gmail dot com>
- To: binutils at sourceware dot org
- Date: Mon, 24 Feb 2020 13:25:14 +1030
- Subject: Re: vms buffer overflows and large memory allocation
- References: <20200224020650.GD5570@bubble.grove.modra.org>
The last patch wasn't quite correct. I'd missed the fact that sbm_off
had been updated.
* vms-lib.c (_bfd_vms_lib_archive_p): Correct overflow checks.
diff --git a/bfd/vms-lib.c b/bfd/vms-lib.c
index 3b42857aa9..87f865864c 100644
--- a/bfd/vms-lib.c
+++ b/bfd/vms-lib.c
@@ -627,6 +627,8 @@ _bfd_vms_lib_archive_p (bfd *abfd, enum vms_lib_kind kind)
sbm = (struct vms_dcxsbm *) (buf + sbm_off);
sbm_sz = bfd_getl16 (sbm->size);
sbm_off += sbm_sz;
+ if (sbm_off > reclen)
+ goto err;
sbmdesc->min_char = sbm->min_char;
BFD_ASSERT (sbmdesc->min_char == 0);
@@ -639,21 +641,21 @@ _bfd_vms_lib_archive_p (bfd *abfd, enum vms_lib_kind kind)
goto err;
sbmdesc->flags = (unsigned char *)bfd_alloc (abfd, l);
off = bfd_getl16 (sbm->flags);
- if (off > reclen - sbm_off
- || reclen - sbm_off - off < l)
+ if (off > sbm_sz
+ || sbm_sz - off < l)
goto err;
memcpy (sbmdesc->flags, (bfd_byte *) sbm + off, l);
sbmdesc->nodes = (unsigned char *)bfd_alloc (abfd, 2 * sbm_len);
off = bfd_getl16 (sbm->nodes);
- if (off > reclen - sbm_off
- || reclen - sbm_off - off < 2 * sbm_len)
+ if (off > sbm_sz
+ || sbm_sz - off < 2 * sbm_len)
goto err;
memcpy (sbmdesc->nodes, (bfd_byte *) sbm + off, 2 * sbm_len);
off = bfd_getl16 (sbm->next);
if (off != 0)
{
- if (off > reclen - sbm_off
- || reclen - sbm_off - off < 2 * sbm_len)
+ if (off > sbm_sz
+ || sbm_sz - off < 2 * sbm_len)
goto err;
/* Read the 'next' array. */
sbmdesc->next = (unsigned short *) bfd_alloc (abfd, 2 * sbm_len);
--
Alan Modra
Australia Development Lab, IBM