asan: alpha-vms: buffer overflow in vms_traverse_index

	* vms-lib.c (vms_traverse_index): Sanity check size remaining
	before accessing vms_idx or vms_elfidx.

diff --git a/bfd/ChangeLog b/bfd/ChangeLog
index 25cb69fd13f0478c7b447798bc140e620b6b7430..aae554b560d2795f4e61aea390865e4686c162ed 100644 (file)
--- a/bfd/ChangeLog
+++ b/bfd/ChangeLog
@@ -1,3 +1,8 @@
+2020-08-03  Alan Modra  <amodra@gmail.com>
+
+       * vms-lib.c (vms_traverse_index): Sanity check size remaining
+       before accessing vms_idx or vms_elfidx.
+
 2020-08-03  Alan Modra  <amodra@gmail.com>
 
        PR 26330

diff --git a/bfd/vms-lib.c b/bfd/vms-lib.c
index f000bc2a8f1fbf08fd9db209a0d872deb8090dc0..93791088bd4b1c7fecf81e63c7f669fc8211504d 100644 (file)
--- a/bfd/vms-lib.c
+++ b/bfd/vms-lib.c
@@ -277,7 +277,8 @@ vms_traverse_index (bfd *abfd, unsigned int vbn, struct carsym_mem *cs,
       unsigned int flags;
 
       /* Extract key length.  */
-      if (bfd_libdata (abfd)->ver == LBR_MAJORID)
+      if (bfd_libdata (abfd)->ver == LBR_MAJORID
+         && offsetof (struct vms_idx, keyname) <= (size_t) (endp - p))
        {
          struct vms_idx *ridx = (struct vms_idx *)p;
 
@@ -288,7 +289,8 @@ vms_traverse_index (bfd *abfd, unsigned int vbn, struct carsym_mem *cs,
          flags = 0;
          keyname = ridx->keyname;
        }
-      else if (bfd_libdata (abfd)->ver == LBR_ELFMAJORID)
+      else if (bfd_libdata (abfd)->ver == LBR_ELFMAJORID
+              && offsetof (struct vms_elfidx, keyname) <= (size_t) (endp - p))
        {
          struct vms_elfidx *ridx = (struct vms_elfidx *)p;