Re: vms buffer overflows and large memory allocation

[deliverable/binutils-gdb.git] / bfd / vms-lib.c

diff --git a/bfd/vms-lib.c b/bfd/vms-lib.c
index 3b42857aa9ce7e89d1e5c66da7c1a2e55eb24f42..87f865864c644ce55a317bf63bc7283f83242b50 100644 (file)
--- a/bfd/vms-lib.c
+++ b/bfd/vms-lib.c
@@ -627,6 +627,8 @@ _bfd_vms_lib_archive_p (bfd *abfd, enum vms_lib_kind kind)
          sbm = (struct vms_dcxsbm *) (buf + sbm_off);
          sbm_sz = bfd_getl16 (sbm->size);
          sbm_off += sbm_sz;
+         if (sbm_off > reclen)
+           goto err;
 
          sbmdesc->min_char = sbm->min_char;
          BFD_ASSERT (sbmdesc->min_char == 0);
@@ -639,21 +641,21 @@ _bfd_vms_lib_archive_p (bfd *abfd, enum vms_lib_kind kind)
            goto err;
          sbmdesc->flags = (unsigned char *)bfd_alloc (abfd, l);
          off = bfd_getl16 (sbm->flags);
-         if (off > reclen - sbm_off
-             || reclen - sbm_off - off < l)
+         if (off > sbm_sz
+             || sbm_sz - off < l)
            goto err;
          memcpy (sbmdesc->flags, (bfd_byte *) sbm + off, l);
          sbmdesc->nodes = (unsigned char *)bfd_alloc (abfd, 2 * sbm_len);
          off = bfd_getl16 (sbm->nodes);
-         if (off > reclen - sbm_off
-             || reclen - sbm_off - off < 2 * sbm_len)
+         if (off > sbm_sz
+             || sbm_sz - off < 2 * sbm_len)
            goto err;
          memcpy (sbmdesc->nodes, (bfd_byte *) sbm + off, 2 * sbm_len);
          off = bfd_getl16 (sbm->next);
          if (off != 0)
            {
-             if (off > reclen - sbm_off
-                 || reclen - sbm_off - off < 2 * sbm_len)
+             if (off > sbm_sz
+                 || sbm_sz - off < 2 * sbm_len)
                goto err;
              /* Read the 'next' array.  */
              sbmdesc->next = (unsigned short *) bfd_alloc (abfd, 2 * sbm_len);