From: Alan Modra <amodra@gmail.com>
Date: Mon, 3 Aug 2020 13:44:57 +0000 (+0930)
Subject: asan: alpha-vms: buffer overflow in vms_traverse_index
X-Git-Url: https://git.libre-soc.org/?a=commitdiff_plain;h=e44a1d7b9ad8d73f6cea1f20fe353fc12f9b8e66;p=binutils-gdb.git

asan: alpha-vms: buffer overflow in vms_traverse_index

	* vms-lib.c (vms_traverse_index): Sanity check size remaining
	before accessing vms_idx or vms_elfidx.
---

diff --git a/bfd/ChangeLog b/bfd/ChangeLog
index 25cb69fd13f..aae554b560d 100644
--- a/bfd/ChangeLog
+++ b/bfd/ChangeLog
@@ -1,3 +1,8 @@
+2020-08-03  Alan Modra  <amodra@gmail.com>
+
+	* vms-lib.c (vms_traverse_index): Sanity check size remaining
+	before accessing vms_idx or vms_elfidx.
+
 2020-08-03  Alan Modra  <amodra@gmail.com>
 
 	PR 26330
diff --git a/bfd/vms-lib.c b/bfd/vms-lib.c
index f000bc2a8f1..93791088bd4 100644
--- a/bfd/vms-lib.c
+++ b/bfd/vms-lib.c
@@ -277,7 +277,8 @@ vms_traverse_index (bfd *abfd, unsigned int vbn, struct carsym_mem *cs,
       unsigned int flags;
 
       /* Extract key length.  */
-      if (bfd_libdata (abfd)->ver == LBR_MAJORID)
+      if (bfd_libdata (abfd)->ver == LBR_MAJORID
+	  && offsetof (struct vms_idx, keyname) <= (size_t) (endp - p))
 	{
 	  struct vms_idx *ridx = (struct vms_idx *)p;
 
@@ -288,7 +289,8 @@ vms_traverse_index (bfd *abfd, unsigned int vbn, struct carsym_mem *cs,
 	  flags = 0;
 	  keyname = ridx->keyname;
 	}
-      else if (bfd_libdata (abfd)->ver == LBR_ELFMAJORID)
+      else if (bfd_libdata (abfd)->ver == LBR_ELFMAJORID
+	       && offsetof (struct vms_elfidx, keyname) <= (size_t) (endp - p))
 	{
 	  struct vms_elfidx *ridx = (struct vms_elfidx *)p;