XCOFF uninitialized read
authorAlan Modra <amodra@gmail.com>
Fri, 20 Mar 2020 00:27:38 +0000 (10:57 +1030)
committerAlan Modra <amodra@gmail.com>
Fri, 20 Mar 2020 02:05:51 +0000 (12:35 +1030)
* coff-rs6000.c (_bfd_xcoff_slurp_armap): Ensure size is large
enough to read number of symbols.

bfd/ChangeLog
bfd/coff-rs6000.c

index 6c2e26d24ef118b2324a96fefe5e4c43d0f60ded..e04f008779319e3fde07e6ab25488c20f76e8825 100644 (file)
@@ -1,3 +1,8 @@
+2020-03-20  Alan Modra  <amodra@gmail.com>
+
+       * coff-rs6000.c (_bfd_xcoff_slurp_armap): Ensure size is large
+       enough to read number of symbols.
+
 2020-03-20  Alan Modra  <amodra@gmail.com>
 
        * elf.c (_bfd_elf_setup_sections): Don't test known non-NULL
index 2dd68e08c3b8a3c0832798f9e56ab827740fd1a0..bf87596a4fe6da609c3a66f65d49e4063173ce3c 100644 (file)
@@ -1260,9 +1260,9 @@ _bfd_xcoff_slurp_armap (bfd *abfd)
        return FALSE;
 
       GET_VALUE_IN_FIELD (sz, hdr.size, 10);
-      if (sz == (bfd_size_type) -1)
+      if (sz + 1 < 5)
        {
-         bfd_set_error (bfd_error_no_memory);
+         bfd_set_error (bfd_error_bad_value);
          return FALSE;
        }
 
@@ -1322,9 +1322,9 @@ _bfd_xcoff_slurp_armap (bfd *abfd)
        return FALSE;
 
       GET_VALUE_IN_FIELD (sz, hdr.size, 10);
-      if (sz == (bfd_size_type) -1)
+      if (sz + 1 < 9)
        {
-         bfd_set_error (bfd_error_no_memory);
+         bfd_set_error (bfd_error_bad_value);
          return FALSE;
        }