[binutils-gdb] asan: heap buffer overflow in dwarf2_directive_filename

[binutils-gdb] asan: heap buffer overflow in dwarf2_directive_filename

[Alan Modra]

https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=6f87d3fd27417e5adb2aa6f106a614296425df57

commit 6f87d3fd27417e5adb2aa6f106a614296425df57
Author: Alan Modra <amodra@gmail.com>
Date:   Wed Jun 1 17:44:41 2022 +0930

    asan: heap buffer overflow in dwarf2_directive_filename
    
    Seen with .file 4294967289 "xxx.c"
    
            * dwarf2dbg.c (assign_file_to_slot): Catch more cases of integer
            overflow.  Make param i an unsigned int.

Diff:
---
 gas/dwarf2dbg.c | 8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

diff --git a/gas/dwarf2dbg.c b/gas/dwarf2dbg.c
index 185d57c253f..b4b252970c1 100644
--- a/gas/dwarf2dbg.c
+++ b/gas/dwarf2dbg.c
@@ -679,7 +679,7 @@ get_directory_table_entry (const char *dirname,
 }
 
 static bool
-assign_file_to_slot (unsigned long i, const char *file, unsigned int dir)
+assign_file_to_slot (unsigned int i, const char *file, unsigned int dir)
 {
   if (i >= files_allocated)
     {
@@ -687,9 +687,11 @@ assign_file_to_slot (unsigned long i, const char *file, unsigned int dir)
 
       files_allocated = i + 32;
       /* Catch wraparound.  */
-      if (files_allocated <= old)
+      if (files_allocated < old
+	  || files_allocated < i
+	  || files_allocated > UINT_MAX / sizeof (struct file_entry))
 	{
-	  as_bad (_("file number %lu is too big"), (unsigned long) i);
+	  as_bad (_("file number %u is too big"), i);
 	  return false;
 	}