From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <amodra@gmail.com>
Received: from mail-pl1-x62b.google.com (mail-pl1-x62b.google.com
 [IPv6:2607:f8b0:4864:20::62b])
 by sourceware.org (Postfix) with ESMTPS id AFA75385E00C
 for <binutils@sourceware.org>; Thu, 26 Mar 2020 00:55:17 +0000 (GMT)
DMARC-Filter: OpenDMARC Filter v1.3.2 sourceware.org AFA75385E00C
Received: by mail-pl1-x62b.google.com with SMTP id b9so1480904pls.12
 for <binutils@sourceware.org>; Wed, 25 Mar 2020 17:55:17 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20161025;
 h=x-gm-message-state:date:from:to:subject:message-id:mime-version
 :content-disposition:user-agent;
 bh=yvSuLVj62gqEH4SkuLRkdkiB2wnUGZjvMcoYvz1bXDY=;
 b=Yf6Njl4wTIpTUvjke0gRq01BkJ0tqm6GM69xtYZNagG/EJRGCEIGfn3d/Rtz5Yvn2S
 yAwbAgFRcOegtS+FmE0W2w0OE69qlZF3Ewws9Z1GWRYY4ar+LNhepIRVnoUf4WS9gMqa
 AUP35uh2fWU9nRSRVzSJGlsK5m9ZKcDfIQeQ2fW6PMU57FzWxUTk1NVaVIs1RXs0HHhY
 FixCaHSHZZh8iHxk4pnum+3ii/DEecAflfB/7NEN8ctszxfudRJugnmz2qFfuYULIAm9
 UXJljVbI8oBL8zqCF9vmVM2ANdXTj9H1q4jY7p/eFFOGlwhOunVeDW79Y6JnKp4HWner
 0IOw==
X-Gm-Message-State: ANhLgQ1LQQUzaD3W4DGzsr1iWSUqGUiFF8S1QtykCFFAlnu2D+p5ucow
 4e2TpIDysfDxPLm7Ey+vHmm4YRwk/q0=
X-Google-Smtp-Source: ADFU+vt0Uls721Rzj8UDtrHSuxuzqTTYr/230Ms+xl38yYcPsVuDQdPlGCixjeMjMdj+Uu6Ha9Xq5A==
X-Received: by 2002:a17:902:ed03:: with SMTP id
 b3mr5475350pld.247.1585184116522; 
 Wed, 25 Mar 2020 17:55:16 -0700 (PDT)
Received: from bubble.grove.modra.org (158.106.96.58.static.exetel.com.au.
 [58.96.106.158])
 by smtp.gmail.com with ESMTPSA id h11sm285866pfn.125.2020.03.25.17.55.15
 for <binutils@sourceware.org>
 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
 Wed, 25 Mar 2020 17:55:15 -0700 (PDT)
Received: by bubble.grove.modra.org (Postfix, from userid 1000)
 id E9EA7806BF; Thu, 26 Mar 2020 11:25:11 +1030 (ACDT)
Date: Thu, 26 Mar 2020 11:25:11 +1030
From: Alan Modra <amodra@gmail.com>
To: binutils@sourceware.org
Subject: alpha-vms: Sanity check ETIR__C_CTL_DFLOC index
Message-ID: <20200326005511.GI4583@bubble.grove.modra.org>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.9.4 (2018-02-28)
X-Spam-Status: No, score=-26.4 required=5.0 tests=BAYES_00, DKIM_SIGNED,
 DKIM_VALID, DKIM_VALID_AU, DKIM_VALID_EF, FREEMAIL_FROM, GIT_PATCH_0,
 GIT_PATCH_1, GIT_PATCH_2, GIT_PATCH_3, RCVD_IN_DNSWL_NONE, SPF_HELO_NONE,
 SPF_PASS, TXREP autolearn=ham autolearn_force=no version=3.4.2
X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on
 server2.sourceware.org
X-BeenThere: binutils@sourceware.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Binutils mailing list <binutils.sourceware.org>
List-Unsubscribe: <http://sourceware.org/mailman/options/binutils>,
 <mailto:binutils-request@sourceware.org?subject=unsubscribe>
List-Archive: <http://sourceware.org/pipermail/binutils/>
List-Post: <mailto:binutils@sourceware.org>
List-Help: <mailto:binutils-request@sourceware.org?subject=help>
List-Subscribe: <http://sourceware.org/mailman/listinfo/binutils>,
 <mailto:binutils-request@sourceware.org?subject=subscribe>
X-List-Received-Date: Thu, 26 Mar 2020 00:55:19 -0000

I doubt anyone will want to create more than 16M debug location
entries.  If there is no bound the object format allows for 32-bit
indices and of course fuzzers find that and attempt allocation of up
to a 16G byte array.  The patch also fixes potential integer overflows
in calculating the array size.

	* vms-alpha.c (dst_define_location): Limit size of dst_ptr_offsets
	array.
	(_bfd_vms_slurp_object_records): Rename "err" to "ok".

diff --git a/bfd/vms-alpha.c b/bfd/vms-alpha.c
index c08d35d4b2..594363b32a 100644
--- a/bfd/vms-alpha.c
+++ b/bfd/vms-alpha.c
@@ -1553,6 +1553,14 @@ dst_define_location (bfd *abfd, unsigned int loc)
 {
   vms_debug2 ((4, "dst_define_location (%d)\n", (int)loc));
 
+  if (loc > 1 << 24)
+    {
+      /* 16M entries ought to be plenty.  */
+      bfd_set_error (bfd_error_bad_value);
+      _bfd_error_handler (_("dst_define_location %u too large"), loc);
+      return FALSE;
+    }
+
   /* Grow the ptr offset table if necessary.  */
   if (loc + 1 > PRIV (dst_ptr_offsets_count))
     {
@@ -2634,7 +2642,7 @@ _bfd_vms_slurp_eeom (bfd *abfd)
 static bfd_boolean
 _bfd_vms_slurp_object_records (bfd * abfd)
 {
-  bfd_boolean err;
+  bfd_boolean ok;
   int type;
 
   do
@@ -2651,27 +2659,27 @@ _bfd_vms_slurp_object_records (bfd * abfd)
       switch (type)
 	{
 	case EOBJ__C_EMH:
-	  err = _bfd_vms_slurp_ehdr (abfd);
+	  ok = _bfd_vms_slurp_ehdr (abfd);
 	  break;
 	case EOBJ__C_EEOM:
-	  err = _bfd_vms_slurp_eeom (abfd);
+	  ok = _bfd_vms_slurp_eeom (abfd);
 	  break;
 	case EOBJ__C_EGSD:
-	  err = _bfd_vms_slurp_egsd (abfd);
+	  ok = _bfd_vms_slurp_egsd (abfd);
 	  break;
 	case EOBJ__C_ETIR:
-	  err = TRUE; /* _bfd_vms_slurp_etir (abfd); */
+	  ok = TRUE; /* _bfd_vms_slurp_etir (abfd); */
 	  break;
 	case EOBJ__C_EDBG:
-	  err = _bfd_vms_slurp_edbg (abfd);
+	  ok = _bfd_vms_slurp_edbg (abfd);
 	  break;
 	case EOBJ__C_ETBT:
-	  err = _bfd_vms_slurp_etbt (abfd);
+	  ok = _bfd_vms_slurp_etbt (abfd);
 	  break;
 	default:
-	  err = FALSE;
+	  ok = FALSE;
 	}
-      if (!err)
+      if (!ok)
 	{
 	  vms_debug2 ((2, "slurp type %d failed\n", type));
 	  return FALSE;

-- 
Alan Modra
Australia Development Lab, IBM