_bfd_vms_slurp_eihs (bfd *abfd, unsigned int offset)
{
unsigned char *p = PRIV (recrd.rec) + offset;
- unsigned int gstvbn = bfd_getl32 (p + EIHS__L_GSTVBN);
- unsigned int gstsize ATTRIBUTE_UNUSED = bfd_getl32 (p + EIHS__L_GSTSIZE);
- unsigned int dstvbn = bfd_getl32 (p + EIHS__L_DSTVBN);
- unsigned int dstsize = bfd_getl32 (p + EIHS__L_DSTSIZE);
- unsigned int dmtvbn = bfd_getl32 (p + EIHS__L_DMTVBN);
- unsigned int dmtbytes = bfd_getl32 (p + EIHS__L_DMTBYTES);
+ unsigned int gstvbn;
+ unsigned int gstsize ATTRIBUTE_UNUSED;
+ unsigned int dstvbn;
+ unsigned int dstsize;
+ unsigned int dmtvbn;
+ unsigned int dmtbytes;
asection *section;
+ /* PR 21611: Check that offset is valid. */
+ if (offset > PRIV (recrd.rec_size) - (EIHS__L_DMTBYTES + 4))
+ {
+ _bfd_error_handler (_("Unable to read EIHS record at offset %#x"), offset);
+ bfd_set_error (bfd_error_file_truncated);
+ return FALSE;
+ }
+
+ gstvbn = bfd_getl32 (p + EIHS__L_GSTVBN);
+ gstsize = bfd_getl32 (p + EIHS__L_GSTSIZE);
+ dstvbn = bfd_getl32 (p + EIHS__L_DSTVBN);
+ dstsize = bfd_getl32 (p + EIHS__L_DSTSIZE);
+ dmtvbn = bfd_getl32 (p + EIHS__L_DMTVBN);
+ dmtbytes = bfd_getl32 (p + EIHS__L_DMTBYTES);
+
#if VMS_DEBUG
vms_debug (8, "_bfd_vms_slurp_ihs\n");
vms_debug (4, "EIHS record gstvbn %d gstsize %d dstvbn %d dstsize %d dmtvbn %d dmtbytes %d\n",
static bfd_boolean
_bfd_vms_slurp_egsd (bfd *abfd)
{
- int gsd_type, gsd_size;
+ int gsd_type;
+ unsigned int gsd_size;
unsigned char *vms_rec;
unsigned long base_addr;
/* Calculate base address for each section. */
base_addr = 0L;
- while (PRIV (recrd.rec_size) > 0)
+ while (PRIV (recrd.rec_size) > 4)
{
vms_rec = PRIV (recrd.rec);
vms_debug2 ((3, "egsd_type %d\n", gsd_type));
+ /* PR 21615: Check for size overflow. */
+ if (PRIV (recrd.rec_size) < gsd_size)
+ {
+ _bfd_error_handler (_("Corrupt EGSD record: size (%#x) is larger than remaining space (%#x)"),
+ gsd_size, PRIV (recrd.rec_size));
+ bfd_set_error (bfd_error_bad_value);
+ return FALSE;
+ }
+
switch (gsd_type)
{
case EGSD__C_PSC:
/* xgettext:c-format */
fprintf (file, _(" EMH %u (len=%u): "), subtype, rec_len);
+ /* PR 21618: Check for invalid lengths. */
+ if (rec_len < sizeof (* emh))
+ {
+ fprintf (file, _(" Error: The length is less than the length of an EMH record\n"));
+ return;
+ }
+
switch (subtype)
{
case EMH__C_MHD:
struct vms_eeom *eeom = (struct vms_eeom *)rec;
fprintf (file, _(" EEOM (len=%u):\n"), rec_len);
+
+ /* PR 21618: Check for invalid lengths. */
+ if (rec_len < sizeof (* eeom))
+ {
+ fprintf (file, _(" Error: The length is less than the length of an EEOM record\n"));
+ return;
+ }
+
fprintf (file, _(" number of cond linkage pairs: %u\n"),
(unsigned)bfd_getl32 (eeom->total_lps));
fprintf (file, _(" completion code: %u\n"),
n, type, len);
n++;
+ if (off + len > rec_len || off + len < off)
+ {
+ fprintf (file, _(" Error: length larger than remaining space in record\n"));
+ return;
+ }
+
switch (type)
{
case EGSD__C_PSC:
size = bfd_getl16 (etir->size);
buf = rec + off + sizeof (struct vms_etir);
+ if (off + size > rec_len || off + size < off)
+ {
+ fprintf (file, _(" Error: length larger than remaining space in record\n"));
+ return;
+ }
+
/* xgettext:c-format */
fprintf (file, _(" (type: %3u, size: 4+%3u): "), type, size - 4);
switch (type)
projects / deliverable / binutils-gdb.git / blobdiff