alpha-vms: Sanity check ETIR__C_CTL_DFLOC index

Message ID 20200326005511.GI4583@bubble.grove.modra.org
State New
Headers show
Series
  • alpha-vms: Sanity check ETIR__C_CTL_DFLOC index
Related show

Commit Message

Stefan Schulze Frielinghaus via Binutils March 26, 2020, 12:55 a.m.
I doubt anyone will want to create more than 16M debug location
entries.  If there is no bound the object format allows for 32-bit
indices and of course fuzzers find that and attempt allocation of up
to a 16G byte array.  The patch also fixes potential integer overflows
in calculating the array size.

	* vms-alpha.c (dst_define_location): Limit size of dst_ptr_offsets
	array.
	(_bfd_vms_slurp_object_records): Rename "err" to "ok".


-- 
Alan Modra
Australia Development Lab, IBM

Patch

diff --git a/bfd/vms-alpha.c b/bfd/vms-alpha.c
index c08d35d4b2..594363b32a 100644
--- a/bfd/vms-alpha.c
+++ b/bfd/vms-alpha.c
@@ -1553,6 +1553,14 @@  dst_define_location (bfd *abfd, unsigned int loc)
 {
   vms_debug2 ((4, "dst_define_location (%d)\n", (int)loc));
 
+  if (loc > 1 << 24)
+    {
+      /* 16M entries ought to be plenty.  */
+      bfd_set_error (bfd_error_bad_value);
+      _bfd_error_handler (_("dst_define_location %u too large"), loc);
+      return FALSE;
+    }
+
   /* Grow the ptr offset table if necessary.  */
   if (loc + 1 > PRIV (dst_ptr_offsets_count))
     {
@@ -2634,7 +2642,7 @@  _bfd_vms_slurp_eeom (bfd *abfd)
 static bfd_boolean
 _bfd_vms_slurp_object_records (bfd * abfd)
 {
-  bfd_boolean err;
+  bfd_boolean ok;
   int type;
 
   do
@@ -2651,27 +2659,27 @@  _bfd_vms_slurp_object_records (bfd * abfd)
       switch (type)
 	{
 	case EOBJ__C_EMH:
-	  err = _bfd_vms_slurp_ehdr (abfd);
+	  ok = _bfd_vms_slurp_ehdr (abfd);
 	  break;
 	case EOBJ__C_EEOM:
-	  err = _bfd_vms_slurp_eeom (abfd);
+	  ok = _bfd_vms_slurp_eeom (abfd);
 	  break;
 	case EOBJ__C_EGSD:
-	  err = _bfd_vms_slurp_egsd (abfd);
+	  ok = _bfd_vms_slurp_egsd (abfd);
 	  break;
 	case EOBJ__C_ETIR:
-	  err = TRUE; /* _bfd_vms_slurp_etir (abfd); */
+	  ok = TRUE; /* _bfd_vms_slurp_etir (abfd); */
 	  break;
 	case EOBJ__C_EDBG:
-	  err = _bfd_vms_slurp_edbg (abfd);
+	  ok = _bfd_vms_slurp_edbg (abfd);
 	  break;
 	case EOBJ__C_ETBT:
-	  err = _bfd_vms_slurp_etbt (abfd);
+	  ok = _bfd_vms_slurp_etbt (abfd);
 	  break;
 	default:
-	  err = FALSE;
+	  ok = FALSE;
 	}
-      if (!err)
+      if (!ok)
 	{
 	  vms_debug2 ((2, "slurp type %d failed\n", type));
 	  return FALSE;