From: Alan Modra <amodra@gmail.com>
Date: Wed, 1 Jun 2022 08:14:41 +0000 (+0930)
Subject: asan: heap buffer overflow in dwarf2_directive_filename
X-Git-Url: https://git.libre-soc.org/?a=commitdiff_plain;h=6f87d3fd27417e5adb2aa6f106a614296425df57;p=binutils-gdb.git

asan: heap buffer overflow in dwarf2_directive_filename

Seen with .file 4294967289 "xxx.c"

	* dwarf2dbg.c (assign_file_to_slot): Catch more cases of integer
	overflow.  Make param i an unsigned int.
---

diff --git a/gas/dwarf2dbg.c b/gas/dwarf2dbg.c
index 185d57c253f..b4b252970c1 100644
--- a/gas/dwarf2dbg.c
+++ b/gas/dwarf2dbg.c
@@ -679,7 +679,7 @@ get_directory_table_entry (const char *dirname,
 }
 
 static bool
-assign_file_to_slot (unsigned long i, const char *file, unsigned int dir)
+assign_file_to_slot (unsigned int i, const char *file, unsigned int dir)
 {
   if (i >= files_allocated)
     {
@@ -687,9 +687,11 @@ assign_file_to_slot (unsigned long i, const char *file, unsigned int dir)
 
       files_allocated = i + 32;
       /* Catch wraparound.  */
-      if (files_allocated <= old)
+      if (files_allocated < old
+	  || files_allocated < i
+	  || files_allocated > UINT_MAX / sizeof (struct file_entry))
 	{
-	  as_bad (_("file number %lu is too big"), (unsigned long) i);
+	  as_bad (_("file number %u is too big"), i);
 	  return false;
 	}