asan: aout: heap buffer overflow

	* aoutx.h (aout_get_external_symbols): Sanity check before writing
	zero index entry.  Remove outdated comment.
	* pdp11.c (aout_get_external_symbols): Likewise.

diff --git a/bfd/aoutx.h b/bfd/aoutx.h
index ea09646f2b37e91e29e8cc418e29b1e404e72e1f..61d8e0c87167eb717b824c550fcfee93ec0c0d6f 100644 (file)
--- a/bfd/aoutx.h
+++ b/bfd/aoutx.h
@@ -1353,8 +1353,6 @@ aout_get_external_symbols (bfd *abfd)
 
          if (stringsize >= BYTES_IN_WORD)
            {
-             /* Keep the string count in the buffer for convenience
-                when indexing with e_strx.  */
              amt = stringsize - BYTES_IN_WORD;
              if (bfd_bread (strings + BYTES_IN_WORD, amt, abfd) != amt)
                {
@@ -1364,7 +1362,8 @@ aout_get_external_symbols (bfd *abfd)
            }
        }
       /* Ensure that a zero index yields an empty string.  */
-      memset (strings, 0, BYTES_IN_WORD);
+      if (stringsize >= BYTES_IN_WORD)
+       memset (strings, 0, BYTES_IN_WORD);
 
       /* Ensure that the string buffer is NUL terminated.  */
       strings[stringsize] = 0;

diff --git a/bfd/pdp11.c b/bfd/pdp11.c
index 6429b43be1980b60d7edaa6737606504c77d24e4..280f5cdd68bfb62163b850eee9c5ba1bfd84bbf6 100644 (file)
--- a/bfd/pdp11.c
+++ b/bfd/pdp11.c
@@ -1333,8 +1333,6 @@ aout_get_external_symbols (bfd *abfd)
 
          if (stringsize >= BYTES_IN_LONG)
            {
-             /* Keep the string count in the buffer for convenience
-                when indexing with e_strx.  */
              amt = stringsize - BYTES_IN_LONG;
              if (bfd_bread (strings + BYTES_IN_LONG, amt, abfd) != amt)
                {
@@ -1344,7 +1342,8 @@ aout_get_external_symbols (bfd *abfd)
            }
        }
       /* Ensure that a zero index yields an empty string.  */
-      memset (strings, 0, BYTES_IN_LONG);
+      if (stringsize >= BYTES_IN_WORD)
+       memset (strings, 0, BYTES_IN_LONG);
 
       /* Ensure that the string buffer is NUL terminated.  */
       strings[stringsize] = 0;