PR26188, buff overflow in coff_find_nearest_line_with_names
Alan Modra
amodra@gmail.com
Wed Jul 1 11:47:19 GMT 2020
PR 26188
* coffgen.c (coff_find_nearest_line_with_names): Sanity check
raw syment index before dereferencing.
diff --git a/bfd/coffgen.c b/bfd/coffgen.c
index 94589b43d2..3291b693eb 100644
--- a/bfd/coffgen.c
+++ b/bfd/coffgen.c
@@ -2435,11 +2435,15 @@ coff_find_nearest_line_with_names (bfd *abfd,
/* In XCOFF a debugging symbol can follow the
function symbol. */
- if (s->u.syment.n_scnum == N_DEBUG)
+ if (((size_t) ((char *) s - (char *) obj_raw_syments (abfd))
+ < obj_raw_syment_count (abfd) * sizeof (*s))
+ && s->u.syment.n_scnum == N_DEBUG)
s = s + 1 + s->u.syment.n_numaux;
/* S should now point to the .bf of the function. */
- if (s->u.syment.n_numaux)
+ if (((size_t) ((char *) s - (char *) obj_raw_syments (abfd))
+ < obj_raw_syment_count (abfd) * sizeof (*s))
+ && s->u.syment.n_numaux)
{
/* The linenumber is stored in the auxent. */
union internal_auxent *a = &((s + 1)->u.auxent);
--
Alan Modra
Australia Development Lab, IBM
More information about the Binutils
mailing list