From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <SRS0=32R2=57=gmail.com=amodra@sourceware.org>
Received: from mail-pl1-x632.google.com (mail-pl1-x632.google.com [IPv6:2607:f8b0:4864:20::632])
	by sourceware.org (Postfix) with ESMTPS id C6D9C3858C5E
	for <binutils@sourceware.org>; Fri,  3 Feb 2023 05:40:57 +0000 (GMT)
DMARC-Filter: OpenDMARC Filter v1.4.2 sourceware.org C6D9C3858C5E
Authentication-Results: sourceware.org; dmarc=pass (p=none dis=none) header.from=gmail.com
Authentication-Results: sourceware.org; spf=pass smtp.mailfrom=gmail.com
Received: by mail-pl1-x632.google.com with SMTP id k13so4273340plg.0
        for <binutils@sourceware.org>; Thu, 02 Feb 2023 21:40:57 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20210112;
        h=content-disposition:mime-version:message-id:subject:to:from:date
         :from:to:cc:subject:date:message-id:reply-to;
        bh=VXk1ROWWfbLRB8n/l5hzxWgkdOEm+/6t5DSbaGfFxaM=;
        b=BQ3jPuLWQIMoSndcPOR2mLanT7esdeIDTZZAhdtQbbt3zWV49K3bX8RvilxcMik3IP
         2ahSrHp/mzqMx+MBaQSXUYLfmRy90+i3PwqZABK4aZBjNcwQnw1CCH+Oq2zTZj12dhPY
         Ap8cFEp8k8Be0p9HSwQQep2SCh+S7iUvhrbIkBC49R3aOPoLV8bF04wELrfXEc/FOmEa
         FWv2YgFzidblFpSD1Ld+KMMSi58GTJCIjZ30tNi9kGAb5X9bLDN21Hnda8G+aO6OnRHQ
         hKDsHnXd/0pfHldKwaPlb7O1fOT0iIt1LW+Bd4AnWj4b1SCMBrykNg41hWpdsih6diLx
         jymw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20210112;
        h=content-disposition:mime-version:message-id:subject:to:from:date
         :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to;
        bh=VXk1ROWWfbLRB8n/l5hzxWgkdOEm+/6t5DSbaGfFxaM=;
        b=h3NHUyhs1b1GcRI8+WugPA+88y8vXlB1uXAIQLQRbnZWcPsLJKNmXSVoFqHZqexn3r
         Z0Adho8r60XQY/CwZOG/rI49TMyBC+La7Ok9oI+m8dbjKX3bu0R/I6bSAVIJf4T/ZXGw
         0QJOnxtLX2hKLi1cfKfUufIA0AI5tv06T8l7T3WSFLo7sAlaRY/DWEU0Ix0gbCpzXXBz
         pmEr0nSXZJoWb4CTOd4631F5l49MdKjez61wSCWJ7nqRnYxDb5XYII8ghRcPOHxYYXmJ
         Yy90viPyVyqdccVyudcBaXT5maiUgbJKlpNdMZvY3JUWcGcn7XHpmUi/GdoBvioEVPcJ
         gEmA==
X-Gm-Message-State: AO0yUKVsd3RBUh9TTYQMgWFIAH2b+lWzfN3/0yeZ7dIkAC/Gzhz4J/zc
	o/q34468zUN+xSFSMuJbsFh6DkwTRmQ=
X-Google-Smtp-Source: AK7set9PXaDWtF0tM/9BNbs1W8vRAtBfFkwMrxNktOnuRaqO0kNIdeVi8XJqE7aGnhxSEBOyf9YDag==
X-Received: by 2002:a17:90b:4a06:b0:22b:f84e:5f9a with SMTP id kk6-20020a17090b4a0600b0022bf84e5f9amr9408479pjb.43.1675402856449;
        Thu, 02 Feb 2023 21:40:56 -0800 (PST)
Received: from squeak.grove.modra.org (158.106.96.58.static.exetel.com.au. [58.96.106.158])
        by smtp.gmail.com with ESMTPSA id t3-20020a17090a2f8300b0022c147850cbsm760948pjd.36.2023.02.02.21.40.55
        for <binutils@sourceware.org>
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Thu, 02 Feb 2023 21:40:56 -0800 (PST)
Received: by squeak.grove.modra.org (Postfix, from userid 1000)
	id 512C21142F0F; Fri,  3 Feb 2023 16:10:53 +1030 (ACDT)
Date: Fri, 3 Feb 2023 16:10:53 +1030
From: Alan Modra <amodra@gmail.com>
To: binutils@sourceware.org
Subject: Add ECOFF Symbolic Header sanity checks
Message-ID: <Y9yeZbU4atFWrl5i@squeak.grove.modra.org>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
X-Spam-Status: No, score=-3035.6 required=5.0 tests=BAYES_00,DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,FREEMAIL_FROM,GIT_PATCH_0,RCVD_IN_DNSWL_NONE,SPF_HELO_NONE,SPF_PASS,TXREP autolearn=ham autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on server2.sourceware.org
List-Id: <binutils.sourceware.org>

Anti-fuzzer measures.  The checks don't ensure the various elements in
the header are distinct, but that isn't important as far as making
sure we don't overrun the buffer containing all the elements.  Also,
we now don't care about offsets where the corresponding count is zero.

	* ecoff.c (_bfd_ecoff_slurp_symbolic_info): Sanity check offsets
	in debug->symbolic_header.

diff --git a/bfd/ecoff.c b/bfd/ecoff.c
index 717d2fa2c75..48f33df630e 100644
--- a/bfd/ecoff.c
+++ b/bfd/ecoff.c
@@ -527,12 +527,24 @@ _bfd_ecoff_slurp_symbolic_info (bfd *abfd,
      documented section. And the ordering of the sections varies between
      statically and dynamically linked executables.
      If bfd supports SEEK_END someday, this code could be simplified.  */
-  raw_end = 0;
+  raw_end = raw_base;
 
 #define UPDATE_RAW_END(start, count, size) \
-  cb_end = internal_symhdr->start + internal_symhdr->count * (size); \
-  if (cb_end > raw_end) \
-    raw_end = cb_end
+  do									\
+    if (internal_symhdr->count != 0)					\
+      {									\
+	if (internal_symhdr->start < raw_base)				\
+	  goto err;							\
+	if (_bfd_mul_overflow ((unsigned long) internal_symhdr->count,	\
+			       (size), &amt))				\
+	  goto err;							\
+	cb_end = internal_symhdr->start + amt;				\
+	if (cb_end < internal_symhdr->start)				\
+	  goto err;							\
+	if (cb_end > raw_end)						\
+	  raw_end = cb_end;						\
+      }									\
+  while (0)
 
   UPDATE_RAW_END (cbLineOffset, cbLine, sizeof (unsigned char));
   UPDATE_RAW_END (cbDnOffset, idnMax, backend->debug_swap.external_dnr_size);
@@ -599,6 +611,7 @@ _bfd_ecoff_slurp_symbolic_info (bfd *abfd,
   if (_bfd_mul_overflow ((unsigned long) internal_symhdr->ifdMax,
 			 sizeof (struct fdr), &amt))
     {
+    err:
       bfd_set_error (bfd_error_file_too_big);
       return false;
     }

-- 
Alan Modra
Australia Development Lab, IBM