From patchwork Tue May  9 03:56:43 2023
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Alan Modra <amodra@gmail.com>
X-Patchwork-Id: 91360
Return-Path: <binutils-bounces+ouuuleilei=gmail.com@sourceware.org>
Delivered-To: ouuuleilei@gmail.com
Received: by 2002:a59:b0ea:0:b0:3b6:4342:cba0 with SMTP id b10csp2603214vqo;
        Mon, 8 May 2023 20:56:58 -0700 (PDT)
X-Google-Smtp-Source: 
 ACHHUZ5i2FUIpQ0Cgg4mNLxZTSHO0mTh51a7jOj9M1JN2nN0o2WrnLjpvVkWtGasiXzXYwdaeh+k
X-Received: by 2002:aa7:d71a:0:b0:506:6008:995f with SMTP id
 t26-20020aa7d71a000000b005066008995fmr8812012edq.39.1683604618444;
        Mon, 08 May 2023 20:56:58 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1683604618; cv=none;
        d=google.com; s=arc-20160816;
        b=BjhJvqLz9OVcIreEap+nvMGULWIGX2yHVcJdvdyrSutlwKg6trP1GjyU175DgHNWB2
         BmIXJW2dWG6D4ZKbKk2wt/Qtn26u3mhqWTD5aQq9YJUSSj/FIYlAKzxx53D7tNcH42Wu
         3ey2mU5cC0MhDCLb6irCUL2kcFCHO9yyrdkQ95gdngwMcrYi6K7wCEqLg2xhOQH+YzHh
         finK170rpHr49gbYjlqAgX2ywJ8Zcei/YbSJZzAr1TWdNE5B8O1I9t/lYXNcQPaT4kVK
         eP0q602Jkp4Q70juhe7ss2vmrDOJQ/MSTBh58NRV+8eWcEl4MJFofMTREDRNpT4qTrnw
         7AeA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
 s=arc-20160816;
        h=sender:errors-to:reply-to:from:list-subscribe:list-help:list-post
         :list-archive:list-unsubscribe:list-id:precedence
         :content-disposition:mime-version:message-id:subject:to:date
         :dmarc-filter:delivered-to:dkim-signature:dkim-filter;
        bh=8QvB3ZNLTizE78gqYea1FdBCgkaTifT7faEeEfloBsc=;
        b=djIrLzaoSY1HErZSwA7i1WXPHA2UGu1Vz9khaCWIu/T6gSsDh4AJIC4jMvJFfSV6UP
         9/+WvVCgYdq8pyxxa/jxgbsGqDCDcHBuZalDNPSkVVssRo86UPSPD8ZV9Ibr276RYfPZ
         XXsSRhk5RkhfKmEwVfty+qH3EAN6Fg++KFiXV1MUc3nxd1IH2PpmLRwKurd41Sjh9/ah
         qmzb61msO2XosuZbi5GQc9zKu07caoOYYle2boiKd5+OWbCRlfsdQyhyvo4fQe3kb6+m
         kTtJulbZnCJtg4i+Zr8bre9yjZIYwgL2IA5YbEpscTW5LrJyiG/GmWwiG/eXfIuVTJAb
         pbug==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@sourceware.org header.s=default
 header.b="O1fN4T/L";
       spf=pass (google.com: domain of
 binutils-bounces+ouuuleilei=gmail.com@sourceware.org designates
 2620:52:3:1:0:246e:9693:128c as permitted sender)
 smtp.mailfrom="binutils-bounces+ouuuleilei=gmail.com@sourceware.org";
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=sourceware.org
Received: from sourceware.org (server2.sourceware.org.
 [2620:52:3:1:0:246e:9693:128c])
        by mx.google.com with ESMTPS id
 r8-20020aa7cfc8000000b0050bd1b55099si437974edy.172.2023.05.08.20.56.58
        for <ouuuleilei@gmail.com>
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Mon, 08 May 2023 20:56:58 -0700 (PDT)
Received-SPF: pass (google.com: domain of
 binutils-bounces+ouuuleilei=gmail.com@sourceware.org designates
 2620:52:3:1:0:246e:9693:128c as permitted sender)
 client-ip=2620:52:3:1:0:246e:9693:128c;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@sourceware.org header.s=default
 header.b="O1fN4T/L";
       spf=pass (google.com: domain of
 binutils-bounces+ouuuleilei=gmail.com@sourceware.org designates
 2620:52:3:1:0:246e:9693:128c as permitted sender)
 smtp.mailfrom="binutils-bounces+ouuuleilei=gmail.com@sourceware.org";
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=sourceware.org
Received: from server2.sourceware.org (localhost [IPv6:::1])
	by sourceware.org (Postfix) with ESMTP id EB2FC3858C2C
	for <ouuuleilei@gmail.com>; Tue,  9 May 2023 03:56:56 +0000 (GMT)
DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org EB2FC3858C2C
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sourceware.org;
	s=default; t=1683604617;
	bh=8QvB3ZNLTizE78gqYea1FdBCgkaTifT7faEeEfloBsc=;
	h=Date:To:Subject:List-Id:List-Unsubscribe:List-Archive:List-Post:
	 List-Help:List-Subscribe:From:Reply-To:From;
	b=O1fN4T/LuEleT8JqXHK1vRa+2wtnBTg6i9geV2MSeDPwV1kTZHIvBFwcvMoUFimj6
	 zt4JSryTUlvg4vALlWen/sjvnQYR/Vyrt77I0QR/TMIN8UyEFBncma51x61Bx3ZYyo
	 6KBdHqgk9a8bY+Uhand00BVght5luO83Lez8bUyg=
X-Original-To: binutils@sourceware.org
Delivered-To: binutils@sourceware.org
Received: from mail-pf1-x434.google.com (mail-pf1-x434.google.com
 [IPv6:2607:f8b0:4864:20::434])
 by sourceware.org (Postfix) with ESMTPS id 5CB943858C50
 for <binutils@sourceware.org>; Tue,  9 May 2023 03:56:49 +0000 (GMT)
DMARC-Filter: OpenDMARC Filter v1.4.2 sourceware.org 5CB943858C50
Received: by mail-pf1-x434.google.com with SMTP id
 d2e1a72fcca58-64384c6797eso4341874b3a.2
 for <binutils@sourceware.org>; Mon, 08 May 2023 20:56:49 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20221208; t=1683604608; x=1686196608;
 h=content-disposition:mime-version:message-id:subject:to:from:date
 :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to;
 bh=8QvB3ZNLTizE78gqYea1FdBCgkaTifT7faEeEfloBsc=;
 b=ePw9YDXPtOsPCrCfmT4X+4tZ7yoI9pAe4j8etYLcWsyxZVU1/IIZKsWcjdIy8532HS
 kEiyUSVuofuJLSNLwSbkIPuz4ZMq+4i6kNJ+UF1F/o653M8Q5lKO7/voidtWcnJKkSXn
 e0z+icRy6vHIjxq9uZkJw1zDnqn59QIt+NcVITQUL014+ElXCqfomshneGEeV6y6i193
 l72kJeRjUvsX7Xx1dbjpUU8G/TE3FYqGGIwNn549NUfnK98DbqKFmIpfPP4obu0rHh1/
 Jy392bTGiWk5SaNHyesp5xnX/KBWmZ5Et5X0W+v8ywFjvb4nOeObVshpt0B564vH95Tv
 6Djw==
X-Gm-Message-State: AC+VfDycmw4nRqAY6ncigwoxVZGXSeydiwxQOZNyNmxFow/73kfEbFuk
 SEing3OJ0g2Q0+5Kl3y4cYSKgRhCSrg=
X-Received: by 2002:a05:6a00:2d1c:b0:643:2559:80f3 with SMTP id
 fa28-20020a056a002d1c00b00643255980f3mr18300065pfb.2.1683604607713;
 Mon, 08 May 2023 20:56:47 -0700 (PDT)
Received: from squeak.grove.modra.org (158.106.96.58.static.exetel.com.au.
 [58.96.106.158]) by smtp.gmail.com with ESMTPSA id
 k19-20020aa78213000000b00643aa9436c9sm687572pfi.172.2023.05.08.20.56.46
 for <binutils@sourceware.org>
 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
 Mon, 08 May 2023 20:56:46 -0700 (PDT)
Received: by squeak.grove.modra.org (Postfix, from userid 1000)
 id 2FC9B1142C09; Tue,  9 May 2023 13:26:43 +0930 (ACST)
Date: Tue, 9 May 2023 13:26:43 +0930
To: binutils@sourceware.org
Subject: alpha-vms reloc sanity check
Message-ID: <ZFnEez0cjGviUx4M@squeak.grove.modra.org>
MIME-Version: 1.0
Content-Disposition: inline
X-Spam-Status: No, score=-3034.9 required=5.0 tests=BAYES_00, DKIM_SIGNED,
 DKIM_VALID, DKIM_VALID_AU, DKIM_VALID_EF, FREEMAIL_FROM, GIT_PATCH_0,
 RCVD_IN_DNSWL_NONE, SPF_HELO_NONE, SPF_PASS, TXREP,
 T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
 server2.sourceware.org
X-BeenThere: binutils@sourceware.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Binutils mailing list <binutils.sourceware.org>
List-Unsubscribe: <https://sourceware.org/mailman/options/binutils>,
 <mailto:binutils-request@sourceware.org?subject=unsubscribe>
List-Archive: <https://sourceware.org/pipermail/binutils/>
List-Post: <mailto:binutils@sourceware.org>
List-Help: <mailto:binutils-request@sourceware.org?subject=help>
List-Subscribe: <https://sourceware.org/mailman/listinfo/binutils>,
 <mailto:binutils-request@sourceware.org?subject=subscribe>
X-Patchwork-Original-From: Alan Modra via Binutils <binutils@sourceware.org>
From: Alan Modra <amodra@gmail.com>
Reply-To: Alan Modra <amodra@gmail.com>
Errors-To: binutils-bounces+ouuuleilei=gmail.com@sourceware.org
Sender: "Binutils" <binutils-bounces+ouuuleilei=gmail.com@sourceware.org>
X-getmail-retrieved-from-mailbox: =?utf-8?q?INBOX?=
X-GMAIL-THRID: =?utf-8?q?1765387396533649132?=
X-GMAIL-MSGID: =?utf-8?q?1765387396533649132?=

Stops fuzzed files triggering reads past the end of the reloc buffer.

	* vms-alpha.c (alpha_vms_slurp_relocs): Sanity check reloc records.

diff --git a/bfd/vms-alpha.c b/bfd/vms-alpha.c
index d06d743f224..b0ad4016da3 100644
--- a/bfd/vms-alpha.c
+++ b/bfd/vms-alpha.c
@@ -5292,12 +5292,18 @@ alpha_vms_slurp_relocs (bfd *abfd)
       begin = PRIV (recrd.rec) + 4;
       end = PRIV (recrd.rec) + PRIV (recrd.rec_size);
 
-      for (ptr = begin; ptr < end; ptr += length)
+      for (ptr = begin; ptr + 4 <= end; ptr += length)
 	{
 	  int cmd;
 
 	  cmd = bfd_getl16 (ptr);
 	  length = bfd_getl16 (ptr + 2);
+	  if (length < 4 || length > end - ptr)
+	    {
+	    bad_rec:
+	      _bfd_error_handler (_("corrupt reloc record"));
+	      goto fail;
+	    }
 
 	  cur_address = vaddr;
 
@@ -5313,6 +5319,8 @@ alpha_vms_slurp_relocs (bfd *abfd)
 	      continue;
 
 	    case ETIR__C_STA_PQ: /* ALPHA_R_REF{LONG|QUAD}, others part 1 */
+	      if (length < 16)
+		goto bad_rec;
 	      cur_psidx = bfd_getl32 (ptr + 4);
 	      cur_addend = bfd_getl64 (ptr + 8);
 	      prev_cmd = cmd;
@@ -5346,6 +5354,8 @@ alpha_vms_slurp_relocs (bfd *abfd)
 		      goto fail;
 		    }
 		}
+	      if (length < 8)
+		goto bad_rec;
 	      cur_addend = bfd_getl32 (ptr + 4);
 	      prev_cmd = cmd;
 	      continue;
@@ -5360,6 +5370,8 @@ alpha_vms_slurp_relocs (bfd *abfd)
 		     _bfd_vms_etir_name (ETIR__C_STA_QW));
 		  goto fail;
 		}
+	      if (length < 12)
+		goto bad_rec;
 	      cur_addend = bfd_getl64 (ptr + 4);
 	      prev_cmd = cmd;
 	      continue;
@@ -5455,12 +5467,16 @@ alpha_vms_slurp_relocs (bfd *abfd)
 	      goto call_reloc;
 
 	    call_reloc:
+	      if (length < 36)
+		goto bad_rec;
 	      cur_sym = ptr + 4 + 32;
 	      cur_address = bfd_getl64 (ptr + 4 + 8);
 	      cur_addend = bfd_getl64 (ptr + 4 + 24);
 	      break;
 
 	    case ETIR__C_STO_IMM:
+	      if (length < 8)
+		goto bad_rec;
 	      vaddr += bfd_getl32 (ptr + 4);
 	      continue;
 
@@ -5520,12 +5536,16 @@ alpha_vms_slurp_relocs (bfd *abfd)
 	    if (cur_sym != NULL)
 	      {
 		unsigned int j;
-		unsigned int symlen = *cur_sym;
+		int symlen;
 		asymbol **sym;
 
 		/* Linear search.  */
+		if (end - cur_sym < 1)
+		  goto bad_rec;
 		symlen = *cur_sym;
 		cur_sym++;
+		if (end - cur_sym < symlen)
+		  goto bad_rec;
 		sym = NULL;
 
 		for (j = 0; j < PRIV (gsd_sym_count); j++)