This is the mail archive of the
binutils@sourceware.org
mailing list for the binutils project.
Re: vms buffer overflows and large memory allocation
- From: Alan Modra <amodra at gmail dot com>
- To: binutils at sourceware dot org
- Date: Wed, 26 Feb 2020 15:26:50 +1030
- Subject: Re: vms buffer overflows and large memory allocation
- References: <20200224020650.GD5570@bubble.grove.modra.org>
git commit c893ce360a changed buffer management, in the process
introducing a bug on an error return path. Obviously committed in too
much of a hurry.
* vms-lib.c (vms_lib_read_index): Release correct buffer.
diff --git a/bfd/vms-lib.c b/bfd/vms-lib.c
index 87f865864c..29e213f8c3 100644
--- a/bfd/vms-lib.c
+++ b/bfd/vms-lib.c
@@ -416,6 +416,7 @@ vms_lib_read_index (bfd *abfd, int idx, unsigned int *nbrel)
unsigned int vbn;
ufile_ptr filesize;
size_t amt;
+ struct carsym *csbuf;
struct carsym_mem csm;
/* Read index desription. */
@@ -447,7 +448,7 @@ vms_lib_read_index (bfd *abfd, int idx, unsigned int *nbrel)
csm.max = csm.limit;
if (_bfd_mul_overflow (csm.max, sizeof (struct carsym), &amt))
return NULL;
- csm.idx = bfd_alloc (abfd, amt);
+ csm.idx = csbuf = bfd_alloc (abfd, amt);
if (csm.idx == NULL)
return NULL;
@@ -455,12 +456,12 @@ vms_lib_read_index (bfd *abfd, int idx, unsigned int *nbrel)
vbn = bfd_getl32 (idd.vbn);
if (vbn != 0 && !vms_traverse_index (abfd, vbn, &csm))
{
- if (csm.realloced && csm.idx != NULL)
+ if (csm.realloced)
free (csm.idx);
/* Note: in case of error, we can free what was allocated on the
BFD's objalloc. */
- bfd_release (abfd, csm.idx);
+ bfd_release (abfd, csbuf);
return NULL;
}
@@ -468,7 +469,6 @@ vms_lib_read_index (bfd *abfd, int idx, unsigned int *nbrel)
{
/* There are more entries than the first estimate. Allocate on
the BFD's objalloc. */
- struct carsym *csbuf;
csbuf = bfd_alloc (abfd, csm.nbr * sizeof (struct carsym));
if (csbuf == NULL)
return NULL;
--
Alan Modra
Australia Development Lab, IBM