From cc4c4f40a2b46e355684e450f59154cece591c39 Mon Sep 17 00:00:00 2001 From: Alan Modra Date: Wed, 26 Feb 2020 15:14:48 +1030 Subject: [PATCH] Re: vms buffer overflows and large memory allocation git commit c893ce360a changed buffer management, in the process introducing a bug on an error return path. * vms-lib.c (vms_lib_read_index): Release correct buffer. --- bfd/ChangeLog | 4 ++++ bfd/vms-lib.c | 8 ++++---- 2 files changed, 8 insertions(+), 4 deletions(-) diff --git a/bfd/ChangeLog b/bfd/ChangeLog index 3b69b806560..0847dd5be71 100644 --- a/bfd/ChangeLog +++ b/bfd/ChangeLog @@ -1,3 +1,7 @@ +2020-02-26 Alan Modra + + * vms-lib.c (vms_lib_read_index): Release correct buffer. + 2020-02-26 Alan Modra * elf32-rx.c (rx_elf_relocate_section): Use bfd_malloc rather than diff --git a/bfd/vms-lib.c b/bfd/vms-lib.c index 87f865864c6..29e213f8c39 100644 --- a/bfd/vms-lib.c +++ b/bfd/vms-lib.c @@ -416,6 +416,7 @@ vms_lib_read_index (bfd *abfd, int idx, unsigned int *nbrel) unsigned int vbn; ufile_ptr filesize; size_t amt; + struct carsym *csbuf; struct carsym_mem csm; /* Read index desription. */ @@ -447,7 +448,7 @@ vms_lib_read_index (bfd *abfd, int idx, unsigned int *nbrel) csm.max = csm.limit; if (_bfd_mul_overflow (csm.max, sizeof (struct carsym), &amt)) return NULL; - csm.idx = bfd_alloc (abfd, amt); + csm.idx = csbuf = bfd_alloc (abfd, amt); if (csm.idx == NULL) return NULL; @@ -455,12 +456,12 @@ vms_lib_read_index (bfd *abfd, int idx, unsigned int *nbrel) vbn = bfd_getl32 (idd.vbn); if (vbn != 0 && !vms_traverse_index (abfd, vbn, &csm)) { - if (csm.realloced && csm.idx != NULL) + if (csm.realloced) free (csm.idx); /* Note: in case of error, we can free what was allocated on the BFD's objalloc. */ - bfd_release (abfd, csm.idx); + bfd_release (abfd, csbuf); return NULL; } @@ -468,7 +469,6 @@ vms_lib_read_index (bfd *abfd, int idx, unsigned int *nbrel) { /* There are more entries than the first estimate. Allocate on the BFD's objalloc. */ - struct carsym *csbuf; csbuf = bfd_alloc (abfd, csm.nbr * sizeof (struct carsym)); if (csbuf == NULL) return NULL; -- 2.30.2