PR26188, buff overflow in coff_find_nearest_line_with_names

	PR 26188
	* coffgen.c (coff_find_nearest_line_with_names): Sanity check
	raw syment index before dereferencing.

diff --git a/bfd/ChangeLog b/bfd/ChangeLog
index fc6042e7f3c0472daa8dd42c9f7fde17972fdf25..b91df9985eb38420bae46ff85f8ff4b869e277c3 100644 (file)
--- a/bfd/ChangeLog
+++ b/bfd/ChangeLog
@@ -1,3 +1,9 @@
+2020-07-01  Alan Modra  <amodra@gmail.com>
+
+       PR 26188
+       * coffgen.c (coff_find_nearest_line_with_names): Sanity check
+       raw syment index before dereferencing.
+
 2020-07-01  Alan Modra  <amodra@gmail.com>
 
        * elf32-i386.c (elf_backend_object_p): Undef for vxworks.

diff --git a/bfd/coffgen.c b/bfd/coffgen.c
index 94589b43d2f0d21d70e4caa87e2fb763cc0c0c28..3291b693eb0b00f3dd0f3a876c63ab9a3742de40 100644 (file)
--- a/bfd/coffgen.c
+++ b/bfd/coffgen.c
@@ -2435,11 +2435,15 @@ coff_find_nearest_line_with_names (bfd *abfd,
 
                  /* In XCOFF a debugging symbol can follow the
                     function symbol.  */
-                 if (s->u.syment.n_scnum == N_DEBUG)
+                 if (((size_t) ((char *) s - (char *) obj_raw_syments (abfd))
+                      < obj_raw_syment_count (abfd) * sizeof (*s))
+                     && s->u.syment.n_scnum == N_DEBUG)
                    s = s + 1 + s->u.syment.n_numaux;
 
                  /* S should now point to the .bf of the function.  */
-                 if (s->u.syment.n_numaux)
+                 if (((size_t) ((char *) s - (char *) obj_raw_syments (abfd))
+                      < obj_raw_syment_count (abfd) * sizeof (*s))
+                     && s->u.syment.n_numaux)
                    {
                      /* The linenumber is stored in the auxent.  */
                      union internal_auxent *a = &((s + 1)->u.auxent);