From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <binutils-return-109145-listarch-binutils=sources.redhat.com@sourceware.org>
Received: (qmail 73633 invoked by alias); 24 Feb 2020 02:55:35 -0000
Mailing-List: contact binutils-help@sourceware.org; run by ezmlm
Precedence: bulk
List-Id: <binutils.sourceware.org>
List-Subscribe: <mailto:binutils-subscribe@sourceware.org>
List-Archive: <http://sourceware.org/ml/binutils/>
List-Post: <mailto:binutils@sourceware.org>
List-Help: <mailto:binutils-help@sourceware.org>, <http://sourceware.org/ml/#faqs>
Sender: binutils-owner@sourceware.org
Received: (qmail 73426 invoked by uid 89); 24 Feb 2020 02:55:21 -0000
Authentication-Results: sourceware.org; auth=none
X-Spam-SWARE-Status: No, score=-23.2 required=5.0 tests=AWL,BAYES_00,FREEMAIL_FROM,GIT_PATCH_0,GIT_PATCH_1,GIT_PATCH_2,GIT_PATCH_3,RCVD_IN_DNSWL_NONE,SPF_PASS autolearn=ham version=3.3.1 spammy=H*r:sk:static., HX-Languages-Length:1569
X-HELO: mail-pf1-f171.google.com
Received: from mail-pf1-f171.google.com (HELO mail-pf1-f171.google.com) (209.85.210.171) by sourceware.org (qpsmtpd/0.93/v0.84-503-g423c35a) with ESMTP; Mon, 24 Feb 2020 02:55:20 +0000
Received: by mail-pf1-f171.google.com with SMTP id 185so4595829pfv.3        for <binutils@sourceware.org>; Sun, 23 Feb 2020 18:55:19 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;        d=gmail.com; s=20161025;        h=date:from:to:subject:message-id:references:mime-version         :content-disposition:in-reply-to:user-agent;        bh=SeSmsluDfKgl1/Pdi33U7bpFVxCvuQO8O4f+OnfbsD8=;        b=RLGblXRrLGdDwFxwah8WxQBdLaK1dzPcOOKsspm2IXF4dWuwaikbF8dXGYfiU1ibsD         W2WJ4z7qVTzFTafS6K1gdqbyl8FhwVo6LRWLlFFIIPwjLkSiVICEFus+XHyieHFc4zpO         +xKjlNJWm+4IFvfgMO4E17hfh5DVlDkrDMaS5itsT6FoCJu6JgGiAESZpXtavpMGlNj/         IjErWxKUx9zrVX9WkszfSpISyEhYI2LFWaXHJRA9mJYVppFqvEm+IWFT4PBO0Fm+fbhv         bSdk9SKwkeiskLNeoZI01Xkvu0RftThEhPFdEAIVtFHHGry9XRYlkWg/PPadmfnDNZGc         B6HQ==
Return-Path: <amodra@gmail.com>
Received: from bubble.grove.modra.org (158.106.96.58.static.exetel.com.au. [58.96.106.158])        by smtp.gmail.com with ESMTPSA id y16sm10429911pfn.177.2020.02.23.18.55.17        for <binutils@sourceware.org>        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);        Sun, 23 Feb 2020 18:55:17 -0800 (PST)
Received: by bubble.grove.modra.org (Postfix, from userid 1000)	id 24BA289FC8; Mon, 24 Feb 2020 13:25:14 +1030 (ACDT)
Date: Mon, 24 Feb 2020 02:55:00 -0000
From: Alan Modra <amodra@gmail.com>
To: binutils@sourceware.org
Subject: Re: vms buffer overflows and large memory allocation
Message-ID: <20200224025513.GE5570@bubble.grove.modra.org>
References: <20200224020650.GD5570@bubble.grove.modra.org>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <20200224020650.GD5570@bubble.grove.modra.org>
User-Agent: Mutt/1.9.4 (2018-02-28)
X-IsSubscribed: yes
X-SW-Source: 2020-02/txt/msg00524.txt.bz2

The last patch wasn't quite correct.  I'd missed the fact that sbm_off
had been updated.

	* vms-lib.c (_bfd_vms_lib_archive_p): Correct overflow checks.

diff --git a/bfd/vms-lib.c b/bfd/vms-lib.c
index 3b42857aa9..87f865864c 100644
--- a/bfd/vms-lib.c
+++ b/bfd/vms-lib.c
@@ -627,6 +627,8 @@ _bfd_vms_lib_archive_p (bfd *abfd, enum vms_lib_kind kind)
 	  sbm = (struct vms_dcxsbm *) (buf + sbm_off);
 	  sbm_sz = bfd_getl16 (sbm->size);
 	  sbm_off += sbm_sz;
+	  if (sbm_off > reclen)
+	    goto err;
 
 	  sbmdesc->min_char = sbm->min_char;
 	  BFD_ASSERT (sbmdesc->min_char == 0);
@@ -639,21 +641,21 @@ _bfd_vms_lib_archive_p (bfd *abfd, enum vms_lib_kind kind)
 	    goto err;
 	  sbmdesc->flags = (unsigned char *)bfd_alloc (abfd, l);
 	  off = bfd_getl16 (sbm->flags);
-	  if (off > reclen - sbm_off
-	      || reclen - sbm_off - off < l)
+	  if (off > sbm_sz
+	      || sbm_sz - off < l)
 	    goto err;
 	  memcpy (sbmdesc->flags, (bfd_byte *) sbm + off, l);
 	  sbmdesc->nodes = (unsigned char *)bfd_alloc (abfd, 2 * sbm_len);
 	  off = bfd_getl16 (sbm->nodes);
-	  if (off > reclen - sbm_off
-	      || reclen - sbm_off - off < 2 * sbm_len)
+	  if (off > sbm_sz
+	      || sbm_sz - off < 2 * sbm_len)
 	    goto err;
 	  memcpy (sbmdesc->nodes, (bfd_byte *) sbm + off, 2 * sbm_len);
 	  off = bfd_getl16 (sbm->next);
 	  if (off != 0)
 	    {
-	      if (off > reclen - sbm_off
-		  || reclen - sbm_off - off < 2 * sbm_len)
+	      if (off > sbm_sz
+		  || sbm_sz - off < 2 * sbm_len)
 		goto err;
 	      /* Read the 'next' array.  */
 	      sbmdesc->next = (unsigned short *) bfd_alloc (abfd, 2 * sbm_len);

-- 
Alan Modra
Australia Development Lab, IBM