From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <amodra@gmail.com>
Received: from mail-pj1-x1035.google.com (mail-pj1-x1035.google.com
 [IPv6:2607:f8b0:4864:20::1035])
 by sourceware.org (Postfix) with ESMTPS id AB2593858D3C
 for <binutils@sourceware.org>; Wed, 16 Feb 2022 11:31:05 +0000 (GMT)
DMARC-Filter: OpenDMARC Filter v1.4.1 sourceware.org AB2593858D3C
Received: by mail-pj1-x1035.google.com with SMTP id
 ki18-20020a17090ae91200b001b8be87e9abso3808455pjb.1
 for <binutils@sourceware.org>; Wed, 16 Feb 2022 03:31:05 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20210112;
 h=x-gm-message-state:date:from:to:subject:message-id:mime-version
 :content-disposition;
 bh=gLh129ds+Ritl+HasjIxpVYiZSotF436KUr0TdeaOM0=;
 b=JF40aPyfrJawVcGGSdweKTYN7AP6w6nXJ/yY870SyUBh4SpbjB4LT3hGgWXBzcn8Aw
 at0KG//0o5pRdgzh8Ul+O1qi4p9eja2+Dsyk7qWU5yJeqGZLlmD23lcWrdRARJc8erP3
 QNz6RKbWoxVfhdjNKQNZtN8Cp+9tlP+XM5/xu0t/jgjv6z1ycJTZblAqcZHfUBGHf4Kx
 IRisZofzsnuWpvKGBBODHJNE3hjnFkZEGQugc0d28XNLekW/jNAayDC0VS4qmKNkZaoq
 OwUE5nfqYch4KodXMZT/oA9BeAeyKE2SP6s3bDHmDv8nLrZ17zs3FtFxlfPj60K11z25
 tCyg==
X-Gm-Message-State: AOAM5316ak+FDHUEwrXHeDWMhafyn5gX/WD//qztEVELSt2D6r1V6Lmb
 iU0XXIIPaQvAj330r0OVGWGab3Pw3Eo=
X-Google-Smtp-Source: ABdhPJwpKS5TC6Aq5ujRbf+tJ4oNx9fp4s64x0sB2vc7vZNwihSp6fpfRBIVUvfwBmrnKHHOFcYZzQ==
X-Received: by 2002:a17:903:1249:b0:14e:e053:c8b6 with SMTP id
 u9-20020a170903124900b0014ee053c8b6mr2070008plh.132.1645011064318; 
 Wed, 16 Feb 2022 03:31:04 -0800 (PST)
Received: from squeak.grove.modra.org (158.106.96.58.static.exetel.com.au.
 [58.96.106.158])
 by smtp.gmail.com with ESMTPSA id q2sm46438149pfj.94.2022.02.16.03.31.02
 for <binutils@sourceware.org>
 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
 Wed, 16 Feb 2022 03:31:03 -0800 (PST)
Received: by squeak.grove.modra.org (Postfix, from userid 1000)
 id 02A6011404E9; Wed, 16 Feb 2022 22:01:00 +1030 (ACDT)
Date: Wed, 16 Feb 2022 22:00:59 +1030
From: Alan Modra <amodra@gmail.com>
To: binutils@sourceware.org
Subject: asan: buffer overflow in peXXigen.c
Message-ID: <YgzgcwqgJZWXol6q@squeak.grove.modra.org>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
X-Spam-Status: No, score=-3037.9 required=5.0 tests=BAYES_00, DKIM_SIGNED,
 DKIM_VALID, DKIM_VALID_AU, DKIM_VALID_EF, FREEMAIL_FROM, GIT_PATCH_0,
 RCVD_IN_DNSWL_NONE, SPF_HELO_NONE, SPF_PASS, TXREP,
 T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.4
X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on
 server2.sourceware.org
X-BeenThere: binutils@sourceware.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Binutils mailing list <binutils.sourceware.org>
List-Unsubscribe: <https://sourceware.org/mailman/options/binutils>,
 <mailto:binutils-request@sourceware.org?subject=unsubscribe>
List-Archive: <https://sourceware.org/pipermail/binutils/>
List-Post: <mailto:binutils@sourceware.org>
List-Help: <mailto:binutils-request@sourceware.org?subject=help>
List-Subscribe: <https://sourceware.org/mailman/listinfo/binutils>,
 <mailto:binutils-request@sourceware.org?subject=subscribe>
X-List-Received-Date: Wed, 16 Feb 2022 11:31:08 -0000

	* peXXigen.c (_bfd_XX_bfd_copy_private_bfd_data_common): Properly
	sanity check DataDirectory[PE_DEBUG_DATA].Size.

diff --git a/bfd/peXXigen.c b/bfd/peXXigen.c
index c71dacd4bf0..d11ea01c554 100644
--- a/bfd/peXXigen.c
+++ b/bfd/peXXigen.c
@@ -2937,6 +2937,7 @@ bool
 _bfd_XX_bfd_copy_private_bfd_data_common (bfd * ibfd, bfd * obfd)
 {
   pe_data_type *ipe, *ope;
+  bfd_size_type size;
 
   /* One day we may try to grok other private data.  */
   if (ibfd->xvec->flavour != bfd_target_coff_flavour
@@ -2971,7 +2972,8 @@ _bfd_XX_bfd_copy_private_bfd_data_common (bfd * ibfd, bfd * obfd)
   memcpy (ope->dos_message, ipe->dos_message, sizeof (ope->dos_message));
 
   /* The file offsets contained in the debug directory need rewriting.  */
-  if (ope->pe_opthdr.DataDirectory[PE_DEBUG_DATA].Size != 0)
+  size = ope->pe_opthdr.DataDirectory[PE_DEBUG_DATA].Size;
+  if (size != 0)
     {
       bfd_vma addr = ope->pe_opthdr.DataDirectory[PE_DEBUG_DATA].VirtualAddress
 	+ ope->pe_opthdr.ImageBase;
@@ -2980,12 +2982,16 @@ _bfd_XX_bfd_copy_private_bfd_data_common (bfd * ibfd, bfd * obfd)
 	 representing s_size, not virt_size).  Therefore don't look for the
 	 section containing the first byte, but for that covering the last
 	 one.  */
-      bfd_vma last = addr + ope->pe_opthdr.DataDirectory[PE_DEBUG_DATA].Size - 1;
+      bfd_vma last = addr + size - 1;
       asection *section = find_section_by_vma (obfd, last);
       bfd_byte *data;
+      bfd_vma dataoff = addr - section->vma;
 
       /* PR 17512: file: 0f15796a.  */
-      if (section && addr < section->vma)
+      if (section
+	  && (addr < section->vma
+	      || section->size < dataoff
+	      || section->size - dataoff < size))
 	{
 	  /* xgettext:c-format */
 	  _bfd_error_handler
@@ -3000,7 +3006,7 @@ _bfd_XX_bfd_copy_private_bfd_data_common (bfd * ibfd, bfd * obfd)
 	{
 	  unsigned int i;
 	  struct external_IMAGE_DEBUG_DIRECTORY *dd =
-	    (struct external_IMAGE_DEBUG_DIRECTORY *)(data + (addr - section->vma));
+	    (struct external_IMAGE_DEBUG_DIRECTORY *)(data + dataoff);
 
 	  for (i = 0; i < ope->pe_opthdr.DataDirectory[PE_DEBUG_DATA].Size
 		 / sizeof (struct external_IMAGE_DEBUG_DIRECTORY); i++)

-- 
Alan Modra
Australia Development Lab, IBM