From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <amodra@sourceware.org>
Received: by sourceware.org (Postfix, from userid 1062)
 id D16E33858296; Fri,  3 Feb 2023 05:41:28 +0000 (GMT)
DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org D16E33858296
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
From: Alan Modra <amodra@sourceware.org>
To: bfd-cvs@sourceware.org
Subject: [binutils-gdb] Add ECOFF Symbolic Header sanity checks
X-Act-Checkin: binutils-gdb
X-Git-Author: Alan Modra <amodra@gmail.com>
X-Git-Refname: refs/heads/master
X-Git-Oldrev: e0df1fd7842d93495e7b382dc969d7347b53b7bf
X-Git-Newrev: 96e034530e092e8b746e00d13086c1138a84504b
Message-Id: <20230203054128.D16E33858296@sourceware.org>
Date: Fri,  3 Feb 2023 05:41:28 +0000 (GMT)
X-BeenThere: binutils-cvs@sourceware.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Binutils-cvs mailing list <binutils-cvs.sourceware.org>
List-Unsubscribe: <https://sourceware.org/mailman/options/binutils-cvs>,
 <mailto:binutils-cvs-request@sourceware.org?subject=unsubscribe>
List-Archive: <https://sourceware.org/pipermail/binutils-cvs/>
List-Help: <mailto:binutils-cvs-request@sourceware.org?subject=help>
List-Subscribe: <https://sourceware.org/mailman/listinfo/binutils-cvs>,
 <mailto:binutils-cvs-request@sourceware.org?subject=subscribe>
X-List-Received-Date: Fri, 03 Feb 2023 05:41:28 -0000

https://sourceware.org/git/gitweb.cgi?p=3Dbinutils-gdb.git;h=3D96e034530e09=
2e8b746e00d13086c1138a84504b

commit 96e034530e092e8b746e00d13086c1138a84504b
Author: Alan Modra <amodra@gmail.com>
Date:   Thu Feb 2 22:39:31 2023 +1030

    Add ECOFF Symbolic Header sanity checks
   =20
    Anti-fuzzer measures.  The checks don't ensure the various elements in
    the header are distinct, but that isn't important as far as making
    sure we don't overrun the buffer containing all the elements.  Also,
    we now don't care about offsets where the corresponding count is zero.
   =20
            * ecoff.c (_bfd_ecoff_slurp_symbolic_info): Sanity check offsets
            in debug->symbolic_header.

Diff:
---
 bfd/ecoff.c | 21 +++++++++++++++++----
 1 file changed, 17 insertions(+), 4 deletions(-)

diff --git a/bfd/ecoff.c b/bfd/ecoff.c
index 717d2fa2c75..48f33df630e 100644
--- a/bfd/ecoff.c
+++ b/bfd/ecoff.c
@@ -527,12 +527,24 @@ _bfd_ecoff_slurp_symbolic_info (bfd *abfd,
      documented section. And the ordering of the sections varies between
      statically and dynamically linked executables.
      If bfd supports SEEK_END someday, this code could be simplified.  */
-  raw_end =3D 0;
+  raw_end =3D raw_base;
=20
 #define UPDATE_RAW_END(start, count, size) \
-  cb_end =3D internal_symhdr->start + internal_symhdr->count * (size); \
-  if (cb_end > raw_end) \
-    raw_end =3D cb_end
+  do									\
+    if (internal_symhdr->count !=3D 0)					\
+      {									\
+	if (internal_symhdr->start < raw_base)				\
+	  goto err;							\
+	if (_bfd_mul_overflow ((unsigned long) internal_symhdr->count,	\
+			       (size), &amt))				\
+	  goto err;							\
+	cb_end =3D internal_symhdr->start + amt;				\
+	if (cb_end < internal_symhdr->start)				\
+	  goto err;							\
+	if (cb_end > raw_end)						\
+	  raw_end =3D cb_end;						\
+      }									\
+  while (0)
=20
   UPDATE_RAW_END (cbLineOffset, cbLine, sizeof (unsigned char));
   UPDATE_RAW_END (cbDnOffset, idnMax, backend->debug_swap.external_dnr_siz=
e);
@@ -599,6 +611,7 @@ _bfd_ecoff_slurp_symbolic_info (bfd *abfd,
   if (_bfd_mul_overflow ((unsigned long) internal_symhdr->ifdMax,
 			 sizeof (struct fdr), &amt))
     {
+    err:
       bfd_set_error (bfd_error_file_too_big);
       return false;
     }