From patchwork Fri Feb 17 02:38:50 2023
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Alan Modra <amodra@gmail.com>
X-Patchwork-Id: 58321
Return-Path: <binutils-bounces+ouuuleilei=gmail.com@sourceware.org>
Delivered-To: ouuuleilei@gmail.com
Received: by 2002:adf:eb09:0:0:0:0:0 with SMTP id s9csp654133wrn;
        Thu, 16 Feb 2023 18:39:06 -0800 (PST)
X-Google-Smtp-Source: 
 AK7set9uAVZhgmDkWXo4rOd81grM56HOdxJVa3NTBns9xLVuK46ArbEUbRgj6V4EynX3Nz+DKAY/
X-Received: by 2002:a17:907:3e29:b0:8b1:2ebf:386c with SMTP id
 hp41-20020a1709073e2900b008b12ebf386cmr10984029ejc.11.1676601546762;
        Thu, 16 Feb 2023 18:39:06 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1676601546; cv=none;
        d=google.com; s=arc-20160816;
        b=kGrCaW8/p9dgLOhe+BDBKEN6iEBrd/oBbCcM/7AVz5Af5kMmlHqfuLGD1YiPUpQBtb
         VkSOisOEoKbJHEkcFX7ceMXeMOVFOUaKveceuF5X4GNXiC1pHbcQHoCs8kXy161lc/ja
         /03KenH1L/CACqBt96ibgXGBZMLnKZvy7bEFBn5DRk/Vr50KY4HAob7gTTM3/WmLGgnR
         DrD9VLeh1EdQ93CTMAvYRR7EPqQ1gsKb4u4dpte/UWqqRPvJ0MSpMDBXIibgwe7RA+zJ
         3FexQ/wAegNMVAw5k8aVF3yYTl+3wjCNVcNnF77UaJWXNRs1/7+GLFjIBv6c4aLHdeQ4
         OENA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
 s=arc-20160816;
        h=sender:errors-to:reply-to:from:list-subscribe:list-help:list-post
         :list-archive:list-unsubscribe:list-id:precedence
         :content-disposition:mime-version:message-id:subject:to:date
         :dmarc-filter:delivered-to:dkim-signature:dkim-filter;
        bh=ACtjIe/HrLr8QaS8oQlAEeB2Ftd65aRmqgVexyKuhXs=;
        b=ScSTl40XeCxp2jDfhLEh6EFpq5wy8w+ey9atdFY7Abq81Dr2F3ym8EsPczxp05hqTg
         WKgSfCyB4x6iZ0dm4Qkexf/nRyG51tgSszQJWZUE45+By7Fg/Wab5uhcqRFi5tz7y/MY
         NBzUwhNdFgJ3YfiVNEr656nrWF3rZhqI9v67cmQeqytj7b7Amm9P3//tYPmgix5G2HhV
         +phJHRoh5+GhA56oEs/95ywRB6mzS5eNfk6N+MHZ2FNQYPsuenmx9IqmVPaBoTQFlldf
         42EbI25as2TymGQdDdIsCuK8gxGFm1Uym76sykv9utTsZIcWZFF61AlQUQEcLTl0GJWr
         lV+g==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@sourceware.org header.s=default header.b=x2gDlChO;
       spf=pass (google.com: domain of
 binutils-bounces+ouuuleilei=gmail.com@sourceware.org designates 8.43.85.97 as
 permitted sender)
 smtp.mailfrom="binutils-bounces+ouuuleilei=gmail.com@sourceware.org";
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=sourceware.org
Received: from sourceware.org (server2.sourceware.org. [8.43.85.97])
        by mx.google.com with ESMTPS id
 fg9-20020a1709069c4900b008b122c2a31csi3420710ejc.7.2023.02.16.18.39.06
        for <ouuuleilei@gmail.com>
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Thu, 16 Feb 2023 18:39:06 -0800 (PST)
Received-SPF: pass (google.com: domain of
 binutils-bounces+ouuuleilei=gmail.com@sourceware.org designates 8.43.85.97 as
 permitted sender) client-ip=8.43.85.97;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@sourceware.org header.s=default header.b=x2gDlChO;
       spf=pass (google.com: domain of
 binutils-bounces+ouuuleilei=gmail.com@sourceware.org designates 8.43.85.97 as
 permitted sender)
 smtp.mailfrom="binutils-bounces+ouuuleilei=gmail.com@sourceware.org";
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=sourceware.org
Received: from server2.sourceware.org (localhost [IPv6:::1])
	by sourceware.org (Postfix) with ESMTP id CC43E385482E
	for <ouuuleilei@gmail.com>; Fri, 17 Feb 2023 02:39:03 +0000 (GMT)
DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org CC43E385482E
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sourceware.org;
	s=default; t=1676601543;
	bh=ACtjIe/HrLr8QaS8oQlAEeB2Ftd65aRmqgVexyKuhXs=;
	h=Date:To:Subject:List-Id:List-Unsubscribe:List-Archive:List-Post:
	 List-Help:List-Subscribe:From:Reply-To:From;
	b=x2gDlChOACHUwt17B6f0hMBXscYoLgFKo88kQ3zEnT4uCEEz5ePdTPqlyc1Sb3N5D
	 HEKJgbNAAeRV2oM5Zc9SI9E8/g2gwpah5kLi0tb3AUwQaWrSFwyTkKgD9ABn4bBg4I
	 wMWTzrXXHhGIqTbBEwQTrjaZ24/5MhRE6Zk++cZA=
X-Original-To: binutils@sourceware.org
Delivered-To: binutils@sourceware.org
Received: from mail-pf1-x42d.google.com (mail-pf1-x42d.google.com
 [IPv6:2607:f8b0:4864:20::42d])
 by sourceware.org (Postfix) with ESMTPS id 56FF73858D33
 for <binutils@sourceware.org>; Fri, 17 Feb 2023 02:38:54 +0000 (GMT)
DMARC-Filter: OpenDMARC Filter v1.4.2 sourceware.org 56FF73858D33
Received: by mail-pf1-x42d.google.com with SMTP id g9so2682684pfo.5
 for <binutils@sourceware.org>; Thu, 16 Feb 2023 18:38:54 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20210112;
 h=content-disposition:mime-version:message-id:subject:to:from:date
 :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to;
 bh=ACtjIe/HrLr8QaS8oQlAEeB2Ftd65aRmqgVexyKuhXs=;
 b=HPR2Hs9I/ajpxl25brJYLYmV5RBB/ci8LFwRHfDK9AsXGYkeFK2y01OLt/YfePdLa2
 OD7JJRirSYmaZDhaw5cE92Y5dQhMXakidXK55JIfffXSiOYJ+eSrjOvmD6fGIAgnqG2y
 Y1K3IqUEHo28h4BU8d+7BIBRLGeJi+BSbTbkfE+1dTcFiFHdLtqjfTVGpvFBKBORr7Gq
 Wd9/jb1dns9FM7wYzs74gX/2n5An5+dtYovxOH5/9Xczd0GTD1hx79tQO9D+AuWNuGwJ
 rx8Ztbqa2Zkzyg9w9VXIBNZjXxO2Pu5S1o+/wt4ZEkgQ8Za4bRWGlALYnTrT55NoiOR5
 2YnA==
X-Gm-Message-State: AO0yUKXg7ScyLLjEz1EbnoVsCsOLnAw0zYqvB3dKwvpTmQHuEKLaIgwd
 BpVlyJOVCKJTu7RVXbQ6LVeIhLu1ppg=
X-Received: by 2002:a05:6a00:cd:b0:5a9:bd0c:4704 with SMTP id
 e13-20020a056a0000cd00b005a9bd0c4704mr2382194pfj.14.1676601533199;
 Thu, 16 Feb 2023 18:38:53 -0800 (PST)
Received: from squeak.grove.modra.org (158.106.96.58.static.exetel.com.au.
 [58.96.106.158]) by smtp.gmail.com with ESMTPSA id
 l11-20020a62be0b000000b0058b927b9653sm1985808pff.92.2023.02.16.18.38.52
 for <binutils@sourceware.org>
 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
 Thu, 16 Feb 2023 18:38:52 -0800 (PST)
Received: by squeak.grove.modra.org (Postfix, from userid 1000)
 id 4713F11418D0; Fri, 17 Feb 2023 13:08:50 +1030 (ACDT)
Date: Fri, 17 Feb 2023 13:08:50 +1030
To: binutils@sourceware.org
Subject: Wild pointer reads in _bfd_ecoff_locate_line
Message-ID: <Y+7ouisD+WH2nZn5@squeak.grove.modra.org>
MIME-Version: 1.0
Content-Disposition: inline
X-Spam-Status: No, score=-3035.5 required=5.0 tests=BAYES_00, DKIM_SIGNED,
 DKIM_VALID, DKIM_VALID_AU, DKIM_VALID_EF, FREEMAIL_FROM, GIT_PATCH_0,
 RCVD_IN_DNSWL_NONE, SPF_HELO_NONE, SPF_PASS,
 TXREP autolearn=ham autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
 server2.sourceware.org
X-BeenThere: binutils@sourceware.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Binutils mailing list <binutils.sourceware.org>
List-Unsubscribe: <https://sourceware.org/mailman/options/binutils>,
 <mailto:binutils-request@sourceware.org?subject=unsubscribe>
List-Archive: <https://sourceware.org/pipermail/binutils/>
List-Post: <mailto:binutils@sourceware.org>
List-Help: <mailto:binutils-request@sourceware.org?subject=help>
List-Subscribe: <https://sourceware.org/mailman/listinfo/binutils>,
 <mailto:binutils-request@sourceware.org?subject=subscribe>
X-Patchwork-Original-From: Alan Modra via Binutils <binutils@sourceware.org>
From: Alan Modra <amodra@gmail.com>
Reply-To: Alan Modra <amodra@gmail.com>
Errors-To: binutils-bounces+ouuuleilei=gmail.com@sourceware.org
Sender: "Binutils" <binutils-bounces+ouuuleilei=gmail.com@sourceware.org>
X-getmail-retrieved-from-mailbox: =?utf-8?q?INBOX?=
X-GMAIL-THRID: =?utf-8?q?1758044142967087830?=
X-GMAIL-MSGID: =?utf-8?q?1758044142967087830?=

* ecofflink.c (mk_fdrtab): Sanity check fdr procedure descriptor
	pointer and isymBase.  Set fdrtab_len after possible discards.
	Use size_t vars and catch possible size overflows.

diff --git a/bfd/ecofflink.c b/bfd/ecofflink.c
index 3521dc8c4d6..e902bd51d53 100644
--- a/bfd/ecofflink.c
+++ b/bfd/ecofflink.c
@@ -1730,8 +1730,8 @@ mk_fdrtab (bfd *abfd,
   FDR *fdr_start;
   FDR *fdr_end;
   bool stabs;
-  long len;
-  bfd_size_type amt;
+  size_t len;
+  size_t amt;
 
   fdr_start = debug_info->fdr;
   fdr_end = fdr_start + debug_info->symbolic_header.ifdMax;
@@ -1739,17 +1739,26 @@ mk_fdrtab (bfd *abfd,
   /* First, let's see how long the table needs to be.  */
   for (len = 0, fdr_ptr = fdr_start; fdr_ptr < fdr_end; fdr_ptr++)
     {
-      if (fdr_ptr->cpd == 0)	/* Skip FDRs that have no PDRs.  */
+      /* Sanity check fdr procedure descriptor pointer.  */
+      long ipdMax = debug_info->symbolic_header.ipdMax;
+      if (fdr_ptr->ipdFirst >= ipdMax
+	  || fdr_ptr->cpd > ipdMax - fdr_ptr->ipdFirst)
+	fdr_ptr->cpd = 0;
+      /* Skip FDRs that have no PDRs.  */
+      if (fdr_ptr->cpd == 0)
 	continue;
       ++len;
     }
 
   /* Now, create and fill in the table.  */
-  amt = (bfd_size_type) len * sizeof (struct ecoff_fdrtab_entry);
+  if (_bfd_mul_overflow (len, sizeof (struct ecoff_fdrtab_entry), &amt))
+    {
+      bfd_set_error (bfd_error_file_too_big);
+      return false;
+    }
   line_info->fdrtab = (struct ecoff_fdrtab_entry*) bfd_zalloc (abfd, amt);
   if (line_info->fdrtab == NULL)
     return false;
-  line_info->fdrtab_len = len;
 
   tab = line_info->fdrtab;
   for (fdr_ptr = fdr_start; fdr_ptr < fdr_end; fdr_ptr++)
@@ -1766,6 +1775,10 @@ mk_fdrtab (bfd *abfd,
 	  char *sym_ptr;
 	  SYMR sym;
 
+	  if ((long) ((unsigned long) fdr_ptr->isymBase + 1) <= 0
+	      || fdr_ptr->isymBase + 1 >= debug_info->symbolic_header.isymMax)
+	    continue;
+
 	  sym_ptr = ((char *) debug_info->external_sym
 		     + (fdr_ptr->isymBase + 1) * debug_swap->external_sym_size);
 	  (*debug_swap->swap_sym_in) (abfd, sym_ptr, &sym);
@@ -1797,12 +1810,14 @@ mk_fdrtab (bfd *abfd,
       tab->fdr = fdr_ptr;
       ++tab;
     }
+  len = tab - line_info->fdrtab;
+  line_info->fdrtab_len = len;
 
   /* Finally, the table is sorted in increasing memory-address order.
      The table is mostly sorted already, but there are cases (e.g.,
      static functions in include files), where this does not hold.
      Use "odump -PFv" to verify...  */
-  qsort (line_info->fdrtab, (size_t) len,
+  qsort (line_info->fdrtab, len,
 	 sizeof (struct ecoff_fdrtab_entry), cmp_fdrtab_entry);
 
   return true;