PR27879, stack-buffer-overflow on sysdump

	PR 27879
	* sysdump.c (getBARRAY): Sanity check size against max.
	(getINT): Avoid UB shift left.

diff --git a/binutils/ChangeLog b/binutils/ChangeLog
index 3819a42719e6c66d5cc79e16e1d3ba6d7532b8f4..6767729d705bb29838d70351beba42347b84e978 100644 (file)
--- a/binutils/ChangeLog
+++ b/binutils/ChangeLog
@@ -1,3 +1,9 @@
+2021-05-19  Alan Modra  <amodra@gmail.com>
+
+       PR 27879
+       * sysdump.c (getBARRAY): Sanity check size against max.
+       (getINT): Avoid UB shift left.
+
 2021-05-15  Alan Modra  <amodra@gmail.com>
 
        * dwarf.c (process_cu_tu_index): Avoid pointer UB.  Use _mul_overflow.

diff --git a/binutils/sysdump.c b/binutils/sysdump.c
index 8993152bdd61d9c98fcd1eca34e90d24e0f324c7..35796e829a025b9032440207ca62fa7cd189cbf2 100644 (file)
--- a/binutils/sysdump.c
+++ b/binutils/sysdump.c
@@ -131,19 +131,21 @@ fillup (unsigned char *ptr)
 }
 
 static barray
-getBARRAY (unsigned char *ptr, int *idx, int dsize ATTRIBUTE_UNUSED,
-          int max ATTRIBUTE_UNUSED)
+getBARRAY (unsigned char *ptr, int *idx, int dsize ATTRIBUTE_UNUSED, int max)
 {
   barray res;
   int i;
   int byte = *idx / 8;
-  int size = ptr[byte++];
+  int size = 0;
+
+  if (byte < max)
+    size = ptr[byte++];
 
   res.len = size;
   res.data = (unsigned char *) xmalloc (size);
 
   for (i = 0; i < size; i++)
-    res.data[i] = ptr[byte++];
+    res.data[i] = byte < max ? ptr[byte++] : 0;
 
   return res;
 }
@@ -179,7 +181,8 @@ getINT (unsigned char *ptr, int *idx, int size, int max)
       n = (ptr[byte + 0] << 8) + ptr[byte + 1];
       break;
     case 4:
-      n = (ptr[byte + 0] << 24) + (ptr[byte + 1] << 16) + (ptr[byte + 2] << 8) + (ptr[byte + 3]);
+      n = (((unsigned) ptr[byte + 0] << 24) + (ptr[byte + 1] << 16)
+          + (ptr[byte + 2] << 8) + (ptr[byte + 3]));
       break;
     default:
       fatal (_("Unsupported read size: %d"), size);