[PATCH] binutils: fix out-of-bounds write in stab_xcoff_builtin_type (bz 28694)

[Pavel Mayorov]

I found an out-of-bounds write to the array 'info->xcoff_types' in the
function 'stab_xcoff_builtin_type' (binutils/stabs.c).

Processing of typenum -34 results in overwriting of adjacent field
'info->tags' at line 3668:
  info->xcoff_types[-typenum] = rettype;

This eventually leads to a segmentation fault due to illegal memory
reference performed by the function 'finish_stab'. ASAN catches this
as heap-buffer-overflow.

To solve this problem, it is enough to correct the index by which the
array is accessed: decrease it by 1
---
 binutils/stabs.c | 8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

diff --git a/binutils/stabs.c b/binutils/stabs.c
index 274bfb0e7fa..45ccbba4600 100644
--- a/binutils/stabs.c
+++ b/binutils/stabs.c
@@ -3500,14 +3500,16 @@ stab_xcoff_builtin_type (void *dhandle, struct
stab_handle *info,
 {
   debug_type rettype;
   const char *name;
+  int index;

   if (typenum >= 0 || typenum < -XCOFF_TYPE_COUNT)
     {
       fprintf (stderr, _("Unrecognized XCOFF type %d\n"), typenum);
       return DEBUG_TYPE_NULL;
     }
-  if (info->xcoff_types[-typenum] != NULL)
-    return info->xcoff_types[-typenum];
+  index = -typenum - 1;
+  if (info->xcoff_types[index] != NULL)
+    return info->xcoff_types[index];

   switch (-typenum)
     {
@@ -3665,7 +3667,7 @@ stab_xcoff_builtin_type (void *dhandle, struct
stab_handle *info,

   rettype = debug_name_type (dhandle, name, rettype);

-  info->xcoff_types[-typenum] = rettype;
+  info->xcoff_types[index] = rettype;

   return rettype;
 }
-- 
2.17.1