asan: alpha-vms: buffer overflow in vms_traverse_index
Alan Modra
amodra@gmail.com
Mon Aug 3 13:52:28 GMT 2020
The fuzzers are at it again.
* vms-lib.c (vms_traverse_index): Sanity check size remaining
before accessing vms_idx or vms_elfidx.
diff --git a/bfd/vms-lib.c b/bfd/vms-lib.c
index f000bc2a8f..93791088bd 100644
--- a/bfd/vms-lib.c
+++ b/bfd/vms-lib.c
@@ -277,7 +277,8 @@ vms_traverse_index (bfd *abfd, unsigned int vbn, struct carsym_mem *cs,
unsigned int flags;
/* Extract key length. */
- if (bfd_libdata (abfd)->ver == LBR_MAJORID)
+ if (bfd_libdata (abfd)->ver == LBR_MAJORID
+ && offsetof (struct vms_idx, keyname) <= (size_t) (endp - p))
{
struct vms_idx *ridx = (struct vms_idx *)p;
@@ -288,7 +289,8 @@ vms_traverse_index (bfd *abfd, unsigned int vbn, struct carsym_mem *cs,
flags = 0;
keyname = ridx->keyname;
}
- else if (bfd_libdata (abfd)->ver == LBR_ELFMAJORID)
+ else if (bfd_libdata (abfd)->ver == LBR_ELFMAJORID
+ && offsetof (struct vms_elfidx, keyname) <= (size_t) (endp - p))
{
struct vms_elfidx *ridx = (struct vms_elfidx *)p;
--
Alan Modra
Australia Development Lab, IBM
More information about the Binutils
mailing list