vms_debug2 ((8, "_bfd_vms_slurp_eihd\n"));
+ /* PR 21813: Check for an undersized record. */
+ if (PRIV (recrd.buf_size) < sizeof (* eihd))
+ {
+ _bfd_error_handler (_("Corrupt EIHD record - size is too small"));
+ bfd_set_error (bfd_error_bad_value);
+ return FALSE;
+ }
+
size = bfd_getl32 (eihd->size);
imgtype = bfd_getl32 (eihd->imgtype);
struct vms_eisd *eisd;
unsigned int rec_size;
unsigned int size;
- unsigned long long vaddr;
+ bfd_uint64_t vaddr;
unsigned int flags;
unsigned int vbn;
char *name = NULL;
asection *section;
flagword bfd_flags;
- /* PR 17512: file: 3d9e9fe9. */
- if (offset >= PRIV (recrd.rec_size))
+ /* PR 17512: file: 3d9e9fe9.
+ 12 is the offset of the eisdsize field from the start of the record (8)
+ plus the size of the eisdsize field (4). */
+ if (offset >= PRIV (recrd.rec_size) - 12)
return FALSE;
eisd = (struct vms_eisd *)(PRIV (recrd.rec) + offset);
rec_size = bfd_getl32 (eisd->eisdsize);
offset = (offset + VMS_BLOCK_SIZE) & ~(VMS_BLOCK_SIZE - 1);
continue;
}
- else
- offset += rec_size;
+
+ /* Make sure that there is enough data present in the record. */
+ /* FIXME: Should we use sizeof (struct vms_eisd) rather than just 32 here ? */
+ if (rec_size < 32)
+ return FALSE;
+ /* Make sure that the record is not too big either. */
+ if (offset + rec_size >= PRIV (recrd.rec_size))
+ return FALSE;
+
+ offset += rec_size;
size = bfd_getl32 (eisd->secsize);
vaddr = bfd_getl64 (eisd->virt_addr);
if (flags & EISD__M_GBL)
{
- name = _bfd_vms_save_counted_string (eisd->gblnam);
+ if (rec_size < offsetof (struct vms_eisd, gblnam))
+ return FALSE;
+ else if (rec_size < sizeof (struct vms_eisd))
+ name = _bfd_vms_save_counted_string (eisd->gblnam,
+ rec_size - offsetof (struct vms_eisd, gblnam));
+ else
+ name = _bfd_vms_save_counted_string (eisd->gblnam, EISD__K_GBLNAMLEN);
bfd_flags |= SEC_COFF_SHARED_LIBRARY;
bfd_flags &= ~(SEC_ALLOC | SEC_LOAD);
}
PRIV (hdr_data).hdr_l_recsiz = bfd_getl32 (vms_rec + 16);
if ((vms_rec + 20 + vms_rec[20] + 1) >= end)
goto fail;
- PRIV (hdr_data).hdr_t_name = _bfd_vms_save_counted_string (vms_rec + 20);
+ PRIV (hdr_data).hdr_t_name = _bfd_vms_save_counted_string (vms_rec + 20, vms_rec[20]);
ptr = vms_rec + 20 + vms_rec[20] + 1;
if ((ptr + *ptr + 1) >= end)
goto fail;
- PRIV (hdr_data).hdr_t_version =_bfd_vms_save_counted_string (ptr);
+ PRIV (hdr_data).hdr_t_version =_bfd_vms_save_counted_string (ptr, *ptr);
ptr += *ptr + 1;
if (ptr + 17 >= end)
goto fail;
vms_debug2 ((2, "EGSD\n"));
+ if (PRIV (recrd.rec_size) < 8)
+ {
+ _bfd_error_handler (_("Corrupt EGSD record: its size (%#x) is too small"),
+ PRIV (recrd.rec_size));
+ bfd_set_error (bfd_error_bad_value);
+ return FALSE;
+ }
+
PRIV (recrd.rec) += 8; /* Skip type, size, align pad. */
PRIV (recrd.rec_size) -= 8;
return FALSE;
}
+ if (gsd_size < 4)
+ {
+ _bfd_error_handler (_("Corrupt EGSD record: size (%#x) is too small"),
+ gsd_size);
+ bfd_set_error (bfd_error_bad_value);
+ return FALSE;
+ }
+
switch (gsd_type)
{
case EGSD__C_PSC:
char *name;
unsigned long align_addr;
- name = _bfd_vms_save_counted_string (&egps->namlng);
+ name = _bfd_vms_save_counted_string (&egps->namlng, gsd_size - 4);
section = bfd_make_section (abfd, name);
if (!section)
if (old_flags & EGSY__V_DEF)
{
struct vms_esdf *esdf = (struct vms_esdf *)vms_rec;
+ long psindx;
entry->value = bfd_getl64 (esdf->value);
- entry->section = PRIV (sections)[bfd_getl32 (esdf->psindx)];
+ if (PRIV (sections) == NULL)
+ return FALSE;
+
+ psindx = bfd_getl32 (esdf->psindx);
+ /* PR 21813: Check for an out of range index. */
+ if (psindx < 0 || psindx >= (int) PRIV (section_count))
+ {
+ _bfd_error_handler (_("Corrupt EGSD record: its psindx field is too big (%#lx)"),
+ psindx);
+ bfd_set_error (bfd_error_bad_value);
+ return FALSE;
+ }
+ entry->section = PRIV (sections)[psindx];
if (old_flags & EGSY__V_NORM)
{
PRIV (norm_sym_count)++;
entry->code_value = bfd_getl64 (esdf->code_address);
- entry->code_section =
- PRIV (sections)[bfd_getl32 (esdf->ca_psindx)];
+ psindx = bfd_getl32 (esdf->ca_psindx);
+ /* PR 21813: Check for an out of range index. */
+ if (psindx < 0 || psindx >= (int) PRIV (section_count))
+ {
+ _bfd_error_handler (_("Corrupt EGSD record: its psindx field is too big (%#lx)"),
+ psindx);
+ bfd_set_error (bfd_error_bad_value);
+ return FALSE;
+ }
+ entry->code_section = PRIV (sections)[psindx];
}
}
}
entry->symbol_vector = bfd_getl32 (egst->value);
if (old_flags & EGSY__V_REL)
- entry->section = PRIV (sections)[bfd_getl32 (egst->psindx)];
+ {
+ long psindx;
+
+ if (PRIV (sections) == NULL)
+ return FALSE;
+ psindx = bfd_getl32 (egst->psindx);
+ /* PR 21813: Check for an out of range index. */
+ if (psindx < 0 || psindx >= (int) PRIV (section_count))
+ {
+ _bfd_error_handler (_("Corrupt EGSD record: its psindx field is too big (%#lx)"),
+ psindx);
+ bfd_set_error (bfd_error_bad_value);
+ return FALSE;
+ }
+ entry->section = PRIV (sections)[psindx];
+ }
else
entry->section = bfd_abs_section_ptr;
PRIV (recrd.rec) += gsd_size;
}
+ /* FIXME: Should we complain if PRIV (recrd.rec_size) is not zero ? */
+
if (PRIV (gsd_sym_count) > 0)
abfd->flags |= HAS_SYMS;
vms_debug2 ((4, "image_set_ptr (0x%08x, sect=%d)\n", (unsigned)vma, sect));
+ if (PRIV (sections) == NULL)
+ return;
+ if (sect < 0 || sect >= (int) PRIV (section_count))
+ return;
+
sec = PRIV (sections)[sect];
if (info)
alpha_vms_fix_sec_rel (bfd *abfd, struct bfd_link_info *info,
unsigned int rel, bfd_vma vma)
{
- asection *sec = PRIV (sections)[rel & RELC_MASK];
+ asection *sec;
+
+ if (PRIV (sections) == NULL)
+ return 0;
+
+ sec = PRIV (sections)[rel & RELC_MASK];
if (info)
{
vms_debug2 ((2, "EEOM\n"));
+ /* PR 21813: Check for an undersized record. */
+ if (PRIV (recrd.buf_size) < sizeof (* eeom))
+ {
+ _bfd_error_handler (_("Corrupt EEOM record - size is too small"));
+ bfd_set_error (bfd_error_bad_value);
+ return FALSE;
+ }
+
PRIV (eom_data).eom_l_total_lps = bfd_getl32 (eeom->total_lps);
PRIV (eom_data).eom_w_comcod = bfd_getl16 (eeom->comcod);
if (PRIV (eom_data).eom_w_comcod > 1)
PRIV (recrd.buf_size) = PRIV (recrd.rec_size);
}
+ /* PR 21813: Check for a truncated record. */
+ if (PRIV (recrd.rec_size < test_len))
+ goto error_ret;
/* Read the remaining record. */
remaining = PRIV (recrd.rec_size) - test_len;
to_read = MIN (VMS_BLOCK_SIZE - test_len, remaining);
{
case DST__K_MODBEG:
module->name
- = _bfd_vms_save_counted_string (ptr + DST_S_B_MODBEG_NAME);
+ = _bfd_vms_save_counted_string (ptr + DST_S_B_MODBEG_NAME,
+ maxptr - (ptr + DST_S_B_MODBEG_NAME));
curr_pc = 0;
prev_pc = 0;
funcinfo = (struct funcinfo *)
bfd_zalloc (abfd, sizeof (struct funcinfo));
funcinfo->name
- = _bfd_vms_save_counted_string (ptr + DST_S_B_RTNBEG_NAME);
+ = _bfd_vms_save_counted_string (ptr + DST_S_B_RTNBEG_NAME,
+ maxptr - (ptr + DST_S_B_RTNBEG_NAME));
funcinfo->low = bfd_getl32 (ptr + DST_S_L_RTNBEG_ADDRESS);
funcinfo->next = module->func_table;
module->func_table = funcinfo;
unsigned int fileid
= bfd_getl16 (src_ptr + DST_S_W_SRC_DF_FILEID);
char *filename
- = _bfd_vms_save_counted_string (src_ptr
- + DST_S_B_SRC_DF_FILENAME);
+ = _bfd_vms_save_counted_string (src_ptr + DST_S_B_SRC_DF_FILENAME,
+ (ptr + rec_length) -
+ (src_ptr + DST_S_B_SRC_DF_FILENAME)
+ );
while (fileid >= module->file_table_count)
{
return FALSE;
}
+ if (PRIV (sections) == NULL)
+ return FALSE;
sec = PRIV (sections)[cur_psect];
if (sec == bfd_abs_section_ptr)
{
reloc->sym_ptr_ptr = sym;
}
else if (cur_psidx >= 0)
- reloc->sym_ptr_ptr =
- PRIV (sections)[cur_psidx]->symbol_ptr_ptr;
+ {
+ if (PRIV (sections) == NULL || cur_psidx >= (int) PRIV (section_count))
+ return FALSE;
+ reloc->sym_ptr_ptr =
+ PRIV (sections)[cur_psidx]->symbol_ptr_ptr;
+ }
else
reloc->sym_ptr_ptr = NULL;
{
struct vms_emh_common *emh = (struct vms_emh_common *)rec;
unsigned int subtype;
+ int extra;
- subtype = (unsigned)bfd_getl16 (emh->subtyp);
+ subtype = (unsigned) bfd_getl16 (emh->subtyp);
/* xgettext:c-format */
fprintf (file, _(" EMH %u (len=%u): "), subtype, rec_len);
fprintf (file, _(" Error: The length is less than the length of an EMH record\n"));
return;
}
-
+ extra = rec_len - sizeof (struct vms_emh_common);
+
switch (subtype)
{
case EMH__C_MHD:
{
- struct vms_emh_mhd *mhd = (struct vms_emh_mhd *)rec;
- const char *name;
+ struct vms_emh_mhd *mhd = (struct vms_emh_mhd *) rec;
+ const char * name;
+ const char * nextname;
+ const char * maxname;
+ /* PR 21840: Check for invalid lengths. */
+ if (rec_len < sizeof (* mhd))
+ {
+ fprintf (file, _(" Error: The record length is less than the size of an EMH_MHD record\n"));
+ return;
+ }
fprintf (file, _("Module header\n"));
fprintf (file, _(" structure level: %u\n"), mhd->strlvl);
fprintf (file, _(" max record size: %u\n"),
- (unsigned)bfd_getl32 (mhd->recsiz));
+ (unsigned) bfd_getl32 (mhd->recsiz));
name = (char *)(mhd + 1);
+ maxname = (char *) rec + rec_len;
+ if (name > maxname - 2)
+ {
+ fprintf (file, _(" Error: The module name is missing\n"));
+ return;
+ }
+ nextname = name + name[0] + 1;
+ if (nextname >= maxname)
+ {
+ fprintf (file, _(" Error: The module name is too long\n"));
+ return;
+ }
fprintf (file, _(" module name : %.*s\n"), name[0], name + 1);
- name += name[0] + 1;
+ name = nextname;
+ if (name > maxname - 2)
+ {
+ fprintf (file, _(" Error: The module version is missing\n"));
+ return;
+ }
+ nextname = name + name[0] + 1;
+ if (nextname >= maxname)
+ {
+ fprintf (file, _(" Error: The module version is too long\n"));
+ return;
+ }
fprintf (file, _(" module version : %.*s\n"), name[0], name + 1);
- name += name[0] + 1;
- fprintf (file, _(" compile date : %.17s\n"), name);
+ name = nextname;
+ if ((maxname - name) < 17 && maxname[-1] != 0)
+ fprintf (file, _(" Error: The compile date is truncated\n"));
+ else
+ fprintf (file, _(" compile date : %.17s\n"), name);
}
break;
+
case EMH__C_LNM:
- {
- fprintf (file, _("Language Processor Name\n"));
- fprintf (file, _(" language name: %.*s\n"),
- (int)(rec_len - sizeof (struct vms_emh_common)),
- (char *)rec + sizeof (struct vms_emh_common));
- }
+ fprintf (file, _("Language Processor Name\n"));
+ fprintf (file, _(" language name: %.*s\n"), extra, (char *)(emh + 1));
break;
+
case EMH__C_SRC:
- {
- fprintf (file, _("Source Files Header\n"));
- fprintf (file, _(" file: %.*s\n"),
- (int)(rec_len - sizeof (struct vms_emh_common)),
- (char *)rec + sizeof (struct vms_emh_common));
- }
+ fprintf (file, _("Source Files Header\n"));
+ fprintf (file, _(" file: %.*s\n"), extra, (char *)(emh + 1));
break;
+
case EMH__C_TTL:
- {
- fprintf (file, _("Title Text Header\n"));
- fprintf (file, _(" title: %.*s\n"),
- (int)(rec_len - sizeof (struct vms_emh_common)),
- (char *)rec + sizeof (struct vms_emh_common));
- }
+ fprintf (file, _("Title Text Header\n"));
+ fprintf (file, _(" title: %.*s\n"), extra, (char *)(emh + 1));
break;
+
case EMH__C_CPR:
- {
- fprintf (file, _("Copyright Header\n"));
- fprintf (file, _(" copyright: %.*s\n"),
- (int)(rec_len - sizeof (struct vms_emh_common)),
- (char *)rec + sizeof (struct vms_emh_common));
- }
+ fprintf (file, _("Copyright Header\n"));
+ fprintf (file, _(" copyright: %.*s\n"), extra, (char *)(emh + 1));
break;
+
default:
fprintf (file, _("unhandled emh subtype %u\n"), subtype);
break;
fprintf (file, _("OPR_ADD (add)\n"));
break;
case ETIR__C_OPR_SUB:
- fprintf (file, _("OPR_SUB (substract)\n"));
+ fprintf (file, _("OPR_SUB (subtract)\n"));
break;
case ETIR__C_OPR_MUL:
fprintf (file, _("OPR_MUL (multiply)\n"));