From: Alan Modra <amodra@gmail.com>
Date: Tue, 18 May 2021 14:09:35 +0000 (+0930)
Subject: PR27879, stack-buffer-overflow on sysdump
X-Git-Url: https://git.libre-soc.org/?a=commitdiff_plain;h=9d9e2a340ba50670f406afa314acaa9a2c34ec64;p=binutils-gdb.git

PR27879, stack-buffer-overflow on sysdump

	PR 27879
	* sysdump.c (getBARRAY): Sanity check size against max.
	(getINT): Avoid UB shift left.
---

diff --git a/binutils/ChangeLog b/binutils/ChangeLog
index 3819a42719e..6767729d705 100644
--- a/binutils/ChangeLog
+++ b/binutils/ChangeLog
@@ -1,3 +1,9 @@
+2021-05-19  Alan Modra  <amodra@gmail.com>
+
+	PR 27879
+	* sysdump.c (getBARRAY): Sanity check size against max.
+	(getINT): Avoid UB shift left.
+
 2021-05-15  Alan Modra  <amodra@gmail.com>
 
 	* dwarf.c (process_cu_tu_index): Avoid pointer UB.  Use _mul_overflow.
diff --git a/binutils/sysdump.c b/binutils/sysdump.c
index 8993152bdd6..35796e829a0 100644
--- a/binutils/sysdump.c
+++ b/binutils/sysdump.c
@@ -131,19 +131,21 @@ fillup (unsigned char *ptr)
 }
 
 static barray
-getBARRAY (unsigned char *ptr, int *idx, int dsize ATTRIBUTE_UNUSED,
-	   int max ATTRIBUTE_UNUSED)
+getBARRAY (unsigned char *ptr, int *idx, int dsize ATTRIBUTE_UNUSED, int max)
 {
   barray res;
   int i;
   int byte = *idx / 8;
-  int size = ptr[byte++];
+  int size = 0;
+
+  if (byte < max)
+    size = ptr[byte++];
 
   res.len = size;
   res.data = (unsigned char *) xmalloc (size);
 
   for (i = 0; i < size; i++)
-    res.data[i] = ptr[byte++];
+    res.data[i] = byte < max ? ptr[byte++] : 0;
 
   return res;
 }
@@ -179,7 +181,8 @@ getINT (unsigned char *ptr, int *idx, int size, int max)
       n = (ptr[byte + 0] << 8) + ptr[byte + 1];
       break;
     case 4:
-      n = (ptr[byte + 0] << 24) + (ptr[byte + 1] << 16) + (ptr[byte + 2] << 8) + (ptr[byte + 3]);
+      n = (((unsigned) ptr[byte + 0] << 24) + (ptr[byte + 1] << 16)
+	   + (ptr[byte + 2] << 8) + (ptr[byte + 3]));
       break;
     default:
       fatal (_("Unsupported read size: %d"), size);