From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <SRS0=/K0X=A6=gmail.com=amodra@sourceware.org>
Received: from mail-pf1-x434.google.com (mail-pf1-x434.google.com [IPv6:2607:f8b0:4864:20::434])
	by sourceware.org (Postfix) with ESMTPS id 5CB943858C50
	for <binutils@sourceware.org>; Tue,  9 May 2023 03:56:49 +0000 (GMT)
DMARC-Filter: OpenDMARC Filter v1.4.2 sourceware.org 5CB943858C50
Authentication-Results: sourceware.org; dmarc=pass (p=none dis=none) header.from=gmail.com
Authentication-Results: sourceware.org; spf=pass smtp.mailfrom=gmail.com
Received: by mail-pf1-x434.google.com with SMTP id d2e1a72fcca58-64384c6797eso4341874b3a.2
        for <binutils@sourceware.org>; Mon, 08 May 2023 20:56:49 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20221208; t=1683604608; x=1686196608;
        h=content-disposition:mime-version:message-id:subject:to:from:date
         :from:to:cc:subject:date:message-id:reply-to;
        bh=8QvB3ZNLTizE78gqYea1FdBCgkaTifT7faEeEfloBsc=;
        b=jCfkxUvcw+BJwObYayreJNBGSybdMEn7k7VKV7jeEsvN6Jt1SfUMb2Ha7lXWTA+od9
         Xu8trCBDBjbUjt/DrWUp2KwHZK0Ig9QhSk7jWZrXEGL099cDqQFbJxGTGM+zzVGEVaDP
         Fs+yo3SbBdfaaeVhfNQasAjVbrPlijzEBuYBykDWjXBaNOvoeXvPfGiOdLw1Fo3VKa1x
         9n/i/y8eXKyrMQ+A/VNG6Dl2SYfMfe/1wSIDsguk6lxxrs4NXT2ysY49u2kep+aC6gEm
         /gCRm26fB/CYC87A4FrgLTO7tdNF0CiFAgTmm4sbfk1ZoU35QQRb1CV28uvf1jahqYco
         Ifmg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20221208; t=1683604608; x=1686196608;
        h=content-disposition:mime-version:message-id:subject:to:from:date
         :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to;
        bh=8QvB3ZNLTizE78gqYea1FdBCgkaTifT7faEeEfloBsc=;
        b=ePw9YDXPtOsPCrCfmT4X+4tZ7yoI9pAe4j8etYLcWsyxZVU1/IIZKsWcjdIy8532HS
         kEiyUSVuofuJLSNLwSbkIPuz4ZMq+4i6kNJ+UF1F/o653M8Q5lKO7/voidtWcnJKkSXn
         e0z+icRy6vHIjxq9uZkJw1zDnqn59QIt+NcVITQUL014+ElXCqfomshneGEeV6y6i193
         l72kJeRjUvsX7Xx1dbjpUU8G/TE3FYqGGIwNn549NUfnK98DbqKFmIpfPP4obu0rHh1/
         Jy392bTGiWk5SaNHyesp5xnX/KBWmZ5Et5X0W+v8ywFjvb4nOeObVshpt0B564vH95Tv
         6Djw==
X-Gm-Message-State: AC+VfDycmw4nRqAY6ncigwoxVZGXSeydiwxQOZNyNmxFow/73kfEbFuk
	SEing3OJ0g2Q0+5Kl3y4cYSKgRhCSrg=
X-Google-Smtp-Source: ACHHUZ7IY5hvfwxcAMPlZAyrFS+U49U+wXlo1MJh4TFO1wEfJxavlnVC28P7T3YKsjK0gGuT2x6ydg==
X-Received: by 2002:a05:6a00:2d1c:b0:643:2559:80f3 with SMTP id fa28-20020a056a002d1c00b00643255980f3mr18300065pfb.2.1683604607713;
        Mon, 08 May 2023 20:56:47 -0700 (PDT)
Received: from squeak.grove.modra.org (158.106.96.58.static.exetel.com.au. [58.96.106.158])
        by smtp.gmail.com with ESMTPSA id k19-20020aa78213000000b00643aa9436c9sm687572pfi.172.2023.05.08.20.56.46
        for <binutils@sourceware.org>
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Mon, 08 May 2023 20:56:46 -0700 (PDT)
Received: by squeak.grove.modra.org (Postfix, from userid 1000)
	id 2FC9B1142C09; Tue,  9 May 2023 13:26:43 +0930 (ACST)
Date: Tue, 9 May 2023 13:26:43 +0930
From: Alan Modra <amodra@gmail.com>
To: binutils@sourceware.org
Subject: alpha-vms reloc sanity check
Message-ID: <ZFnEez0cjGviUx4M@squeak.grove.modra.org>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
X-Spam-Status: No, score=-3034.9 required=5.0 tests=BAYES_00,DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,FREEMAIL_FROM,GIT_PATCH_0,RCVD_IN_DNSWL_NONE,SPF_HELO_NONE,SPF_PASS,TXREP,T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on server2.sourceware.org
List-Id: <binutils.sourceware.org>

Stops fuzzed files triggering reads past the end of the reloc buffer.

	* vms-alpha.c (alpha_vms_slurp_relocs): Sanity check reloc records.

diff --git a/bfd/vms-alpha.c b/bfd/vms-alpha.c
index d06d743f224..b0ad4016da3 100644
--- a/bfd/vms-alpha.c
+++ b/bfd/vms-alpha.c
@@ -5292,12 +5292,18 @@ alpha_vms_slurp_relocs (bfd *abfd)
       begin = PRIV (recrd.rec) + 4;
       end = PRIV (recrd.rec) + PRIV (recrd.rec_size);
 
-      for (ptr = begin; ptr < end; ptr += length)
+      for (ptr = begin; ptr + 4 <= end; ptr += length)
 	{
 	  int cmd;
 
 	  cmd = bfd_getl16 (ptr);
 	  length = bfd_getl16 (ptr + 2);
+	  if (length < 4 || length > end - ptr)
+	    {
+	    bad_rec:
+	      _bfd_error_handler (_("corrupt reloc record"));
+	      goto fail;
+	    }
 
 	  cur_address = vaddr;
 
@@ -5313,6 +5319,8 @@ alpha_vms_slurp_relocs (bfd *abfd)
 	      continue;
 
 	    case ETIR__C_STA_PQ: /* ALPHA_R_REF{LONG|QUAD}, others part 1 */
+	      if (length < 16)
+		goto bad_rec;
 	      cur_psidx = bfd_getl32 (ptr + 4);
 	      cur_addend = bfd_getl64 (ptr + 8);
 	      prev_cmd = cmd;
@@ -5346,6 +5354,8 @@ alpha_vms_slurp_relocs (bfd *abfd)
 		      goto fail;
 		    }
 		}
+	      if (length < 8)
+		goto bad_rec;
 	      cur_addend = bfd_getl32 (ptr + 4);
 	      prev_cmd = cmd;
 	      continue;
@@ -5360,6 +5370,8 @@ alpha_vms_slurp_relocs (bfd *abfd)
 		     _bfd_vms_etir_name (ETIR__C_STA_QW));
 		  goto fail;
 		}
+	      if (length < 12)
+		goto bad_rec;
 	      cur_addend = bfd_getl64 (ptr + 4);
 	      prev_cmd = cmd;
 	      continue;
@@ -5455,12 +5467,16 @@ alpha_vms_slurp_relocs (bfd *abfd)
 	      goto call_reloc;
 
 	    call_reloc:
+	      if (length < 36)
+		goto bad_rec;
 	      cur_sym = ptr + 4 + 32;
 	      cur_address = bfd_getl64 (ptr + 4 + 8);
 	      cur_addend = bfd_getl64 (ptr + 4 + 24);
 	      break;
 
 	    case ETIR__C_STO_IMM:
+	      if (length < 8)
+		goto bad_rec;
 	      vaddr += bfd_getl32 (ptr + 4);
 	      continue;
 
@@ -5520,12 +5536,16 @@ alpha_vms_slurp_relocs (bfd *abfd)
 	    if (cur_sym != NULL)
 	      {
 		unsigned int j;
-		unsigned int symlen = *cur_sym;
+		int symlen;
 		asymbol **sym;
 
 		/* Linear search.  */
+		if (end - cur_sym < 1)
+		  goto bad_rec;
 		symlen = *cur_sym;
 		cur_sym++;
+		if (end - cur_sym < symlen)
+		  goto bad_rec;
 		sym = NULL;
 
 		for (j = 0; j < PRIV (gsd_sym_count); j++)

-- 
Alan Modra
Australia Development Lab, IBM