From patchwork Sun Feb 19 03:47:16 2023
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Alan Modra <amodra@gmail.com>
X-Patchwork-Id: 59075
Return-Path: <binutils-bounces+ouuuleilei=gmail.com@sourceware.org>
Delivered-To: ouuuleilei@gmail.com
Received: by 2002:adf:eb09:0:0:0:0:0 with SMTP id s9csp675086wrn;
        Sat, 18 Feb 2023 19:47:49 -0800 (PST)
X-Google-Smtp-Source: 
 AK7set9p43NyBDenQuXQRnqXuBKnfQCJfrD5BTztGdEw18IeYJlKH5gxjCCZvm/iQJu4uiy0zrW4
X-Received: by 2002:a17:906:f0c9:b0:8b1:3467:d71b with SMTP id
 dk9-20020a170906f0c900b008b13467d71bmr5218622ejb.48.1676778469223;
        Sat, 18 Feb 2023 19:47:49 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1676778469; cv=none;
        d=google.com; s=arc-20160816;
        b=B6E1bpLxWQmvTuh/ciVVGb+x2vdwqepcwWOhZYxlyKOV1LcQW5WGKDqwV9puC5B30c
         t4HepOZ1gUwDWKnrfijbicFABNESRYEOZly+ITp9qWYJTw6oaqbv2Ww1VTU+32XOkZAD
         Z0GqfYUDJKPq1C5g5hwBbukMy3qLh7Qvbcmk87HTlrx4HesHnIIrq8nyNBTu+Km/4TdD
         AgtkRzFVdLaxwNwBESVJ0Srh5DIeIiUHRblacYB83hyfnpJmqfd4WFhn8HjuKewpPABx
         S+ywm/uUs4Wkj0G3v3fh25h0+zlr9Ek5ATqbw8fqUPx5YJwOrET39e9S3SXkhb4DVeVB
         sY8g==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
 s=arc-20160816;
        h=sender:errors-to:reply-to:from:list-subscribe:list-help:list-post
         :list-archive:list-unsubscribe:list-id:precedence
         :content-disposition:mime-version:message-id:subject:to:date
         :dmarc-filter:delivered-to:dkim-signature:dkim-filter;
        bh=mXyHJI7zHMoNmpVkT1awXg7wbNwiMSNS4z6sufqOwqg=;
        b=hfT0AuEaFLdN77iWvO8bawAUwn4FzhJiTdT0EW+svgDBuEhyL3Na1MjHaYtBY61kUi
         +rUQ4mX9o3TCLdc69E0ng02fjusEVzxThGvbLWVmGPt1WefALlTtHQTx/eV4oBVduPmV
         7PQ/DRSaXMqRg8T6wWnq7wD7jbZ9lKx0qIoS5NwNC6eTHsTrckxKu1fJSstM3ivlsBLQ
         BV48fPENRAuJPaytDG1po+bntNOzmjHJiDXBAjx+LN0H8xeWKQ4CoYIUXM7o5ck+cL7I
         YlElAgM55kNnqve/C2YcJAoUkrm/wTpArshgOIj1ugnu5lmZhtrzUZlUFkGM71aKbTkU
         FbxA==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@sourceware.org header.s=default header.b=x7OmS7RK;
       spf=pass (google.com: domain of
 binutils-bounces+ouuuleilei=gmail.com@sourceware.org designates 8.43.85.97 as
 permitted sender)
 smtp.mailfrom="binutils-bounces+ouuuleilei=gmail.com@sourceware.org";
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=sourceware.org
Received: from sourceware.org (ip-8-43-85-97.sourceware.org. [8.43.85.97])
        by mx.google.com with ESMTPS id
 gk15-20020a17090790cf00b0087f5eb7d732si9633667ejb.730.2023.02.18.19.47.49
        for <ouuuleilei@gmail.com>
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Sat, 18 Feb 2023 19:47:49 -0800 (PST)
Received-SPF: pass (google.com: domain of
 binutils-bounces+ouuuleilei=gmail.com@sourceware.org designates 8.43.85.97 as
 permitted sender) client-ip=8.43.85.97;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@sourceware.org header.s=default header.b=x7OmS7RK;
       spf=pass (google.com: domain of
 binutils-bounces+ouuuleilei=gmail.com@sourceware.org designates 8.43.85.97 as
 permitted sender)
 smtp.mailfrom="binutils-bounces+ouuuleilei=gmail.com@sourceware.org";
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=sourceware.org
Received: from server2.sourceware.org (localhost [IPv6:::1])
	by sourceware.org (Postfix) with ESMTP id 4B3E73858C39
	for <ouuuleilei@gmail.com>; Sun, 19 Feb 2023 03:47:48 +0000 (GMT)
DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org 4B3E73858C39
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sourceware.org;
	s=default; t=1676778468;
	bh=mXyHJI7zHMoNmpVkT1awXg7wbNwiMSNS4z6sufqOwqg=;
	h=Date:To:Subject:List-Id:List-Unsubscribe:List-Archive:List-Post:
	 List-Help:List-Subscribe:From:Reply-To:From;
	b=x7OmS7RKCw+oCSYrSbhpskOiw41ey1g8VzcSH+f78jHiBteVFsYFKhyh3hZpI9a7v
	 AVJ0bQtKpgCVl7q4+bUbiDuWR1WC0rv78xPBEdSQjtdyYjjB2SLsIeB0VyEFF7HvPc
	 IkqPBKlC8yBJL3XVwcfH7ZL+pI7qJ1SJJXfROF4U=
X-Original-To: binutils@sourceware.org
Delivered-To: binutils@sourceware.org
Received: from mail-pj1-x1032.google.com (mail-pj1-x1032.google.com
 [IPv6:2607:f8b0:4864:20::1032])
 by sourceware.org (Postfix) with ESMTPS id 56DC43857BB2
 for <binutils@sourceware.org>; Sun, 19 Feb 2023 03:47:20 +0000 (GMT)
DMARC-Filter: OpenDMARC Filter v1.4.2 sourceware.org 56DC43857BB2
Received: by mail-pj1-x1032.google.com with SMTP id
 d21-20020a17090abf9500b0023127b2d602so28245pjs.2
 for <binutils@sourceware.org>; Sat, 18 Feb 2023 19:47:20 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20210112;
 h=content-disposition:mime-version:message-id:subject:to:from:date
 :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to;
 bh=mXyHJI7zHMoNmpVkT1awXg7wbNwiMSNS4z6sufqOwqg=;
 b=Pb5PLu5q7tFklMZDSjKCpIASZWJ39mow81q5iCGfm/1oiLcaIHpapUGrgdTDyV/nA2
 Czgjo7nqZOOvKUm/2Mt1El1Di9ynTCYo4p3VkRoYAX5a1njDVrvgI2Hl0LkFnNpVPykx
 pRTuL6deSpM4Xhi/mc5SaIvCroUD6PsCvZfPj9wTCVSWewa2rW9GXKzo6TDwlZ1rvEZN
 BusPVOFYGS+FVkUeQHOsNKIZJp9JASQHX2vXlpTrFqRvHnJTekmsfuZZW1ezRlZk1GIO
 t3l1WVYIlkCGTVj9kgVwddar1drM+h36pgFDQ6vMf3x3YhiI4VuJw6ZVM9JILBwOioOR
 Faww==
X-Gm-Message-State: AO0yUKUfMGhImeWKO5Vkgl/ml1ElvFRcTB5NOf57W/669dalv3ZQGHO2
 0mN7HwjOgGsuImqPnET8R+J439Kjsmw=
X-Received: by 2002:a17:903:74b:b0:19a:e965:c1d5 with SMTP id
 kl11-20020a170903074b00b0019ae965c1d5mr1910035plb.33.1676778439047;
 Sat, 18 Feb 2023 19:47:19 -0800 (PST)
Received: from squeak.grove.modra.org (158.106.96.58.static.exetel.com.au.
 [58.96.106.158]) by smtp.gmail.com with ESMTPSA id
 u9-20020a17090341c900b001991942dde7sm5330963ple.125.2023.02.18.19.47.18
 for <binutils@sourceware.org>
 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
 Sat, 18 Feb 2023 19:47:18 -0800 (PST)
Received: by squeak.grove.modra.org (Postfix, from userid 1000)
 id A294C1142D10; Sun, 19 Feb 2023 14:17:16 +1030 (ACDT)
Date: Sun, 19 Feb 2023 14:17:16 +1030
To: binutils@sourceware.org
Subject: Buffer overflow in evax_bfd_print_eobj
Message-ID: <Y/GbxH+cM+iKG3WP@squeak.grove.modra.org>
MIME-Version: 1.0
Content-Disposition: inline
X-Spam-Status: No, score=-3035.5 required=5.0 tests=BAYES_00, DKIM_SIGNED,
 DKIM_VALID, DKIM_VALID_AU, DKIM_VALID_EF, FREEMAIL_FROM, GIT_PATCH_0,
 RCVD_IN_DNSWL_NONE, SPF_HELO_NONE, SPF_PASS,
 TXREP autolearn=ham autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
 server2.sourceware.org
X-BeenThere: binutils@sourceware.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Binutils mailing list <binutils.sourceware.org>
List-Unsubscribe: <https://sourceware.org/mailman/options/binutils>,
 <mailto:binutils-request@sourceware.org?subject=unsubscribe>
List-Archive: <https://sourceware.org/pipermail/binutils/>
List-Post: <mailto:binutils@sourceware.org>
List-Help: <mailto:binutils-request@sourceware.org?subject=help>
List-Subscribe: <https://sourceware.org/mailman/listinfo/binutils>,
 <mailto:binutils-request@sourceware.org?subject=subscribe>
X-Patchwork-Original-From: Alan Modra via Binutils <binutils@sourceware.org>
From: Alan Modra <amodra@gmail.com>
Reply-To: Alan Modra <amodra@gmail.com>
Errors-To: binutils-bounces+ouuuleilei=gmail.com@sourceware.org
Sender: "Binutils" <binutils-bounces+ouuuleilei=gmail.com@sourceware.org>
X-getmail-retrieved-from-mailbox: =?utf-8?q?INBOX?=
X-GMAIL-THRID: =?utf-8?q?1758229660206736370?=
X-GMAIL-MSGID: =?utf-8?q?1758229660206736370?=

* vms-alpha.c (evax_bfd_print_eobj): Rewrite header handling,
	sanity checking rec_len.  Check bfd_malloc return.

diff --git a/bfd/vms-alpha.c b/bfd/vms-alpha.c
index fd2cf50441f..d06d743f224 100644
--- a/bfd/vms-alpha.c
+++ b/bfd/vms-alpha.c
@@ -6853,7 +6853,7 @@ static void
 evax_bfd_print_eobj (struct bfd *abfd, FILE *file)
 {
   bool is_first = true;
-  bool has_records = false;
+  bool has_records = true;
 
   while (1)
     {
@@ -6862,81 +6862,68 @@ evax_bfd_print_eobj (struct bfd *abfd, FILE *file)
       unsigned char *rec;
       unsigned int hdr_size;
       unsigned int type;
+      unsigned char buf[6];
 
-      if (is_first)
+      hdr_size = has_records ? 6 : 4;
+      if (bfd_bread (buf, hdr_size, abfd) != hdr_size)
 	{
-	  unsigned char buf[6];
-
-	  is_first = false;
-
-	  /* Read 6 bytes.  */
-	  if (bfd_bread (buf, sizeof (buf), abfd) != sizeof (buf))
-	    {
-	      fprintf (file, _("cannot read GST record length\n"));
-	      return;
-	    }
-	  rec_len = bfd_getl16 (buf + 0);
-	  if (rec_len == bfd_getl16 (buf + 4)
-	      && bfd_getl16 (buf + 2) == EOBJ__C_EMH)
-	    {
-	      /* The format is raw: record-size, type, record-size.  */
-	      has_records = true;
-	      pad_len = (rec_len + 1) & ~1U;
-	      hdr_size = 4;
-	    }
-	  else if (rec_len == EOBJ__C_EMH)
-	    {
-	      has_records = false;
-	      pad_len = bfd_getl16 (buf + 2);
-	      hdr_size = 6;
-	    }
-	  else
-	    {
-	      /* Ill-formed.  */
-	      fprintf (file, _("cannot find EMH in first GST record\n"));
-	      return;
-	    }
-	  rec = bfd_malloc (pad_len);
-	  memcpy (rec, buf + sizeof (buf) - hdr_size, hdr_size);
+	  fprintf (file, _("cannot read GST record header\n"));
+	  return;
 	}
-      else
+
+      type = bfd_getl16 (buf);
+      rec_len = bfd_getl16 (buf + 2);
+      pad_len = rec_len;
+      if (has_records)
 	{
-	  unsigned int rec_len2 = 0;
-	  unsigned char hdr[4];
+	  unsigned int rec_len2 = bfd_getl16 (buf + 4);
 
-	  if (has_records)
+	  if (is_first)
 	    {
-	      unsigned char buf_len[2];
-
-	      if (bfd_bread (buf_len, sizeof (buf_len), abfd)
-		  != sizeof (buf_len))
+	      is_first = false;
+	      if (type == rec_len2 && rec_len == EOBJ__C_EMH)
+		/* Matched a VMS record EMH.  */
+		;
+	      else
 		{
-		  fprintf (file, _("cannot read GST record length\n"));
-		  return;
+		  has_records = false;
+		  if (type != EOBJ__C_EMH)
+		    {
+		      /* Ill-formed.  */
+		      fprintf (file, _("cannot find EMH in first GST record\n"));
+		      return;
+		    }
 		}
-	      rec_len2 = (unsigned)bfd_getl16 (buf_len);
 	    }
 
-	  if (bfd_bread (hdr, sizeof (hdr), abfd) != sizeof (hdr))
-	    {
-	      fprintf (file, _("cannot read GST record header\n"));
-	      return;
-	    }
-	  rec_len = (unsigned)bfd_getl16 (hdr + 2);
 	  if (has_records)
-	    pad_len = (rec_len + 1) & ~1U;
-	  else
-	    pad_len = rec_len;
-	  rec = bfd_malloc (pad_len);
-	  memcpy (rec, hdr, sizeof (hdr));
-	  hdr_size = sizeof (hdr);
-	  if (has_records && rec_len2 != rec_len)
 	    {
-	      fprintf (file, _(" corrupted GST\n"));
-	      break;
+	      /* VMS record format is: record-size, type, record-size.
+		 See maybe_adjust_record_pointer_for_object comment.  */
+	      if (type == rec_len2)
+		{
+		  type = rec_len;
+		  rec_len = rec_len2;
+		}
+	      else
+		rec_len = 0;
+	      pad_len = (rec_len + 1) & ~1U;
+	      hdr_size = 4;
 	    }
 	}
 
+      if (rec_len < hdr_size)
+	{
+	  fprintf (file, _("corrupted GST\n"));
+	  return;
+	}
+
+      rec = bfd_malloc (pad_len);
+      if (rec == NULL)
+	return;
+
+      memcpy (rec, buf + (has_records ? 2 : 0), hdr_size);
+
       if (bfd_bread (rec + hdr_size, pad_len - hdr_size, abfd)
 	  != pad_len - hdr_size)
 	{
@@ -6944,8 +6931,6 @@ evax_bfd_print_eobj (struct bfd *abfd, FILE *file)
 	  return;
 	}
 
-      type = (unsigned)bfd_getl16 (rec);
-
       switch (type)
 	{
 	case EOBJ__C_EMH: