From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <SRS0=OhOf=6J=gmail.com=amodra@sourceware.org>
Received: from mail-pl1-x635.google.com (mail-pl1-x635.google.com [IPv6:2607:f8b0:4864:20::635])
	by sourceware.org (Postfix) with ESMTPS id 9170F384F031
	for <binutils@sourceware.org>; Mon, 13 Feb 2023 12:38:34 +0000 (GMT)
DMARC-Filter: OpenDMARC Filter v1.4.2 sourceware.org 9170F384F031
Authentication-Results: sourceware.org; dmarc=pass (p=none dis=none) header.from=gmail.com
Authentication-Results: sourceware.org; spf=pass smtp.mailfrom=gmail.com
Received: by mail-pl1-x635.google.com with SMTP id m2so13356435plg.4
        for <binutils@sourceware.org>; Mon, 13 Feb 2023 04:38:34 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20210112;
        h=content-disposition:mime-version:message-id:subject:to:from:date
         :from:to:cc:subject:date:message-id:reply-to;
        bh=UP0Ei3NKAliuIDtaGX12wM7CA0JrnAoDzo4fMd6mQeQ=;
        b=PPgF0WY7x3AIMh1ibXSDuorx/aOE+Mup5WQOiYeMcJCB+0NA7lsY4hxYo73sfu79xU
         +3AQ7Iq+5MA6pNZT3zhgvR5IKVlG4OeD2HqmXlB3xedU0Gba/UFgCxEdkdJoIrKb8QOq
         weRM1kXzFTnfR3CZ2lZtUG3cK05FSKCDm2KGfuhmT4zwPtV1ORf5WKJTgj6P7Rg/4YUJ
         +YqUSR9poeFxv8MoAMPN2nmqat5LsE6c/ve0sOKkFOgaCOC1eqjSDQ7k7VOBfHGfXYTL
         8Vf3EyF6TnMuFVf/1nTz1nWEwdEJAzGv1+tjHxV+/+JRX1Yc4M5Z4J3xOiNwkmFCYpbx
         it7Q==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20210112;
        h=content-disposition:mime-version:message-id:subject:to:from:date
         :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to;
        bh=UP0Ei3NKAliuIDtaGX12wM7CA0JrnAoDzo4fMd6mQeQ=;
        b=pAdlOYMUmIrMjQqompLumtfD92FmcllFqtTt9G12b12r8mMfRE0wVXs4J5T+oMrGN/
         hDkiS21MrK6hydpsI8/TtAKNDBAJNS04VGnziXY7mcJMi7pgW3ySKAke03RNjSP/XxbA
         7WBB6IgI7AwpxsbZNELVn/x+sjNKP8bUCGnsLBJL+5sF+d0Z/54d7KGtob9qXZBFapla
         iPWqbWPPBDJbnIcI3ebHqpCJlYRQ1DS66FYGHtA3oqeEg+GpA52o4CS8IzAl5TYdl+M8
         SlPKQwTqga6YuWlwepd3JtZPdHLh6x46Cr8P5wrlo8VBKkKO8mauOpzuMmSlvNXpsPPW
         0RWg==
X-Gm-Message-State: AO0yUKW+aRByhcMIO9tzKAl1aHWzJU7oRR+Mp3EGiY7u47bo6SdGA6e3
	UUOnpxzQC1J1xPizgurpzxel2BrazzE=
X-Google-Smtp-Source: AK7set/D0nGXUuBYmnTsOOdoL4saW51jvW3ojpULnLWErdhWkwRjLuhd7RsviCtFIsXVY4WDS07YGg==
X-Received: by 2002:a17:902:dac9:b0:199:4934:9d31 with SMTP id q9-20020a170902dac900b0019949349d31mr21406804plx.20.1676291913409;
        Mon, 13 Feb 2023 04:38:33 -0800 (PST)
Received: from squeak.grove.modra.org ([2406:3400:51d:8cc0:8dde:3ec7:89e7:261d])
        by smtp.gmail.com with ESMTPSA id w12-20020a1709027b8c00b0019a73a45e60sm6004481pll.19.2023.02.13.04.38.32
        for <binutils@sourceware.org>
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Mon, 13 Feb 2023 04:38:33 -0800 (PST)
Received: by squeak.grove.modra.org (Postfix, from userid 1000)
	id C4D081141981; Mon, 13 Feb 2023 23:08:30 +1030 (ACDT)
Date: Mon, 13 Feb 2023 23:08:30 +1030
From: Alan Modra <amodra@gmail.com>
To: binutils@sourceware.org
Subject: _bfd_ecoff_slurp_symbol_table buffer overflow
Message-ID: <Y+ovRotGLLHQE09t@squeak.grove.modra.org>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
X-Spam-Status: No, score=-3034.5 required=5.0 tests=BAYES_00,DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,FREEMAIL_FROM,GIT_PATCH_0,RCVD_IN_DNSWL_NONE,SPF_HELO_NONE,SPF_PASS,TXREP autolearn=ham autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on server2.sourceware.org
List-Id: <binutils.sourceware.org>

Add missing bounds check for local symbols, and tidy the existing
bounds checking.

	* ecoff.c (_bfd_ecoff_slurp_symbol_table): Break overlong lines.
	Set bfd_error.  Bounds check internal_sym.iss.

diff --git a/bfd/ecoff.c b/bfd/ecoff.c
index 48f33df630e..7498766dd3f 100644
--- a/bfd/ecoff.c
+++ b/bfd/ecoff.c
@@ -896,9 +896,13 @@ _bfd_ecoff_slurp_symbol_table (bfd *abfd)
       (*swap_ext_in) (abfd, (void *) eraw_src, &internal_esym);
 
       /* PR 17512: file: 3372-1000-0.004.  */
-      if (internal_esym.asym.iss >= ecoff_data (abfd)->debug_info.symbolic_header.issExtMax
+      HDRR *symhdr = &ecoff_data (abfd)->debug_info.symbolic_header;
+      if (internal_esym.asym.iss >= symhdr->issExtMax
 	  || internal_esym.asym.iss < 0)
-	return false;
+	{
+	  bfd_set_error (bfd_error_bad_value);
+	  return false;
+	}
 
       internal_ptr->symbol.name = (ecoff_data (abfd)->debug_info.ssext
 				   + internal_esym.asym.iss);
@@ -909,17 +913,13 @@ _bfd_ecoff_slurp_symbol_table (bfd *abfd)
 	return false;
 
       /* The alpha uses a negative ifd field for section symbols.  */
-      if (internal_esym.ifd >= 0)
-	{
-	  /* PR 17512: file: 3372-1983-0.004.  */
-	  if (internal_esym.ifd >= ecoff_data (abfd)->debug_info.symbolic_header.ifdMax)
-	    internal_ptr->fdr = NULL;
-	  else
-	    internal_ptr->fdr = (ecoff_data (abfd)->debug_info.fdr
-				 + internal_esym.ifd);
-	}
-      else
+      /* PR 17512: file: 3372-1983-0.004.  */
+      if (internal_esym.ifd >= symhdr->ifdMax
+	  || internal_esym.ifd < 0)
 	internal_ptr->fdr = NULL;
+      else
+	internal_ptr->fdr = (ecoff_data (abfd)->debug_info.fdr
+			     + internal_esym.ifd);
       internal_ptr->local = false;
       internal_ptr->native = (void *) eraw_src;
     }
@@ -943,6 +943,14 @@ _bfd_ecoff_slurp_symbol_table (bfd *abfd)
 	  SYMR internal_sym;
 
 	  (*swap_sym_in) (abfd, (void *) lraw_src, &internal_sym);
+
+	  HDRR *symhdr = &ecoff_data (abfd)->debug_info.symbolic_header;
+	  if (internal_sym.iss >= symhdr->issMax
+	      || internal_sym.iss < 0)
+	    {
+	      bfd_set_error (bfd_error_bad_value);
+	      return false;
+	    }
 	  internal_ptr->symbol.name = (ecoff_data (abfd)->debug_info.ss
 				       + fdr_ptr->issBase
 				       + internal_sym.iss);

-- 
Alan Modra
Australia Development Lab, IBM