From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <gdb-buildbot@sergiodj.net>
Received: from kwanyin.sergiodj.net (kwanyin.sergiodj.net [158.69.185.54])
 by server2.sourceware.org (Postfix) with ESMTPS id AF35C3877026
 for <gdb-testers@sourceware.org>; Sun,  8 Mar 2020 07:13:53 +0000 (GMT)
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Subject: [binutils-gdb] Re: vms buffer overflows and large memory allocation
From: gdb-buildbot@sergiodj.net
To: gdb-testers@sourceware.org
Message-Id: <a98c743fdf721a2333220209ca15e147badb55d1@gdb-build>
Date: Sun, 08 Mar 2020 03:13:52 -0400
X-Spam-Status: No, score=-26.9 required=5.0 tests=BAYES_00, GIT_PATCH_0,
 GIT_PATCH_1, GIT_PATCH_2, GIT_PATCH_3, RCVD_IN_DNSWL_NONE, SPF_HELO_NONE,
 SPF_PASS autolearn=ham autolearn_force=no version=3.4.2
X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on
 server2.sourceware.org
X-BeenThere: gdb-testers@sourceware.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Gdb-testers mailing list <gdb-testers.sourceware.org>
List-Unsubscribe: <http://sourceware.org/mailman/options/gdb-testers>,
 <mailto:gdb-testers-request@sourceware.org?subject=unsubscribe>
List-Archive: <http://sourceware.org/pipermail/gdb-testers/>
List-Post: <mailto:gdb-testers@sourceware.org>
List-Help: <mailto:gdb-testers-request@sourceware.org?subject=help>
List-Subscribe: <http://sourceware.org/mailman/listinfo/gdb-testers>,
 <mailto:gdb-testers-request@sourceware.org?subject=subscribe>
X-List-Received-Date: Sun, 08 Mar 2020 07:13:55 -0000

*** TEST RESULTS FOR COMMIT a98c743fdf721a2333220209ca15e147badb55d1 ***

commit a98c743fdf721a2333220209ca15e147badb55d1
Author:     Alan Modra <amodra@gmail.com>
AuthorDate: Mon Feb 24 13:19:13 2020 +1030
Commit:     Alan Modra <amodra@gmail.com>
CommitDate: Mon Feb 24 13:21:48 2020 +1030

    Re: vms buffer overflows and large memory allocation
    
    The last patch wasn't quite correct.  I'd missed the fact that sbm_off
    had been updated.
    
            * vms-lib.c (_bfd_vms_lib_archive_p): Correct overflow checks.

diff --git a/bfd/ChangeLog b/bfd/ChangeLog
index 58b560d1aa..eeb042c32f 100644
--- a/bfd/ChangeLog
+++ b/bfd/ChangeLog
@@ -1,3 +1,7 @@
+2020-02-24  Alan Modra  <amodra@gmail.com>
+
+	* vms-lib.c (_bfd_vms_lib_archive_p): Correct overflow checks.
+
 2020-02-24  Alan Modra  <amodra@gmail.com>
 
 	* vms-lib.c (struct carsym_mem): Add limit.
diff --git a/bfd/vms-lib.c b/bfd/vms-lib.c
index 3b42857aa9..87f865864c 100644
--- a/bfd/vms-lib.c
+++ b/bfd/vms-lib.c
@@ -627,6 +627,8 @@ _bfd_vms_lib_archive_p (bfd *abfd, enum vms_lib_kind kind)
 	  sbm = (struct vms_dcxsbm *) (buf + sbm_off);
 	  sbm_sz = bfd_getl16 (sbm->size);
 	  sbm_off += sbm_sz;
+	  if (sbm_off > reclen)
+	    goto err;
 
 	  sbmdesc->min_char = sbm->min_char;
 	  BFD_ASSERT (sbmdesc->min_char == 0);
@@ -639,21 +641,21 @@ _bfd_vms_lib_archive_p (bfd *abfd, enum vms_lib_kind kind)
 	    goto err;
 	  sbmdesc->flags = (unsigned char *)bfd_alloc (abfd, l);
 	  off = bfd_getl16 (sbm->flags);
-	  if (off > reclen - sbm_off
-	      || reclen - sbm_off - off < l)
+	  if (off > sbm_sz
+	      || sbm_sz - off < l)
 	    goto err;
 	  memcpy (sbmdesc->flags, (bfd_byte *) sbm + off, l);
 	  sbmdesc->nodes = (unsigned char *)bfd_alloc (abfd, 2 * sbm_len);
 	  off = bfd_getl16 (sbm->nodes);
-	  if (off > reclen - sbm_off
-	      || reclen - sbm_off - off < 2 * sbm_len)
+	  if (off > sbm_sz
+	      || sbm_sz - off < 2 * sbm_len)
 	    goto err;
 	  memcpy (sbmdesc->nodes, (bfd_byte *) sbm + off, 2 * sbm_len);
 	  off = bfd_getl16 (sbm->next);
 	  if (off != 0)
 	    {
-	      if (off > reclen - sbm_off
-		  || reclen - sbm_off - off < 2 * sbm_len)
+	      if (off > sbm_sz
+		  || sbm_sz - off < 2 * sbm_len)
 		goto err;
 	      /* Read the 'next' array.  */
 	      sbmdesc->next = (unsigned short *) bfd_alloc (abfd, 2 * sbm_len);