FreeChainXenon/binutils-gdb
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

asan: alpha-vms: buffer overflow in vms_traverse_index

Browse source 
* vms-lib.c (vms_traverse_index): Sanity check size remaining
	before accessing vms_idx or vms_elfidx.
This commit is contained in:
Alan Modra 2020-08-03 23:14:57 +09:30
parent b5f386d520
commit e44a1d7b9a
2 changed files with 9 additions and 2 deletions
Download patch file Download diff file Expand all files Collapse all files

5
bfd/ChangeLog
View file

@ -1,3 +1,8 @@
2020-08-03 Alan Modra <amodra@gmail.com>
* vms-lib.c (vms_traverse_index): Sanity check size remaining
before accessing vms_idx or vms_elfidx.
2020-08-03 Alan Modra <amodra@gmail.com> 2020-08-03 Alan Modra <amodra@gmail.com>
PR 26330 PR 26330

6
bfd/vms-lib.c
View file

@ -277,7 +277,8 @@ vms_traverse_index (bfd *abfd, unsigned int vbn, struct carsym_mem *cs,
unsigned int flags; unsigned int flags;
/* Extract key length. */ /* Extract key length. */
if (bfd_libdata (abfd)->ver == LBR_MAJORID) if (bfd_libdata (abfd)->ver == LBR_MAJORID
&& offsetof (struct vms_idx, keyname) <= (size_t) (endp - p))
{ {
struct vms_idx *ridx = (struct vms_idx *)p; struct vms_idx *ridx = (struct vms_idx *)p;
@ -288,7 +289,8 @@ vms_traverse_index (bfd *abfd, unsigned int vbn, struct carsym_mem *cs,
flags = 0; flags = 0;
keyname = ridx->keyname; keyname = ridx->keyname;
} }
else if (bfd_libdata (abfd)->ver == LBR_ELFMAJORID) else if (bfd_libdata (abfd)->ver == LBR_ELFMAJORID
&& offsetof (struct vms_elfidx, keyname) <= (size_t) (endp - p))
{ {
struct vms_elfidx *ridx = (struct vms_elfidx *)p; struct vms_elfidx *ridx = (struct vms_elfidx *)p;