From a98c743fdf721a2333220209ca15e147badb55d1 Mon Sep 17 00:00:00 2001
From: Alan Modra <amodra@gmail.com>
Date: Mon, 24 Feb 2020 13:19:13 +1030
Subject: [PATCH] Re: vms buffer overflows and large memory allocation

The last patch wasn't quite correct.  I'd missed the fact that sbm_off
had been updated.

	* vms-lib.c (_bfd_vms_lib_archive_p): Correct overflow checks.
---
 bfd/ChangeLog |  4 ++++
 bfd/vms-lib.c | 14 ++++++++------
 2 files changed, 12 insertions(+), 6 deletions(-)

diff --git a/bfd/ChangeLog b/bfd/ChangeLog
index 58b560d1aa..eeb042c32f 100644
--- a/bfd/ChangeLog
+++ b/bfd/ChangeLog
@@ -1,3 +1,7 @@
+2020-02-24  Alan Modra  <amodra@gmail.com>
+
+	* vms-lib.c (_bfd_vms_lib_archive_p): Correct overflow checks.
+
 2020-02-24  Alan Modra  <amodra@gmail.com>
 
 	* vms-lib.c (struct carsym_mem): Add limit.
diff --git a/bfd/vms-lib.c b/bfd/vms-lib.c
index 3b42857aa9..87f865864c 100644
--- a/bfd/vms-lib.c
+++ b/bfd/vms-lib.c
@@ -627,6 +627,8 @@ _bfd_vms_lib_archive_p (bfd *abfd, enum vms_lib_kind kind)
 	  sbm = (struct vms_dcxsbm *) (buf + sbm_off);
 	  sbm_sz = bfd_getl16 (sbm->size);
 	  sbm_off += sbm_sz;
+	  if (sbm_off > reclen)
+	    goto err;
 
 	  sbmdesc->min_char = sbm->min_char;
 	  BFD_ASSERT (sbmdesc->min_char == 0);
@@ -639,21 +641,21 @@ _bfd_vms_lib_archive_p (bfd *abfd, enum vms_lib_kind kind)
 	    goto err;
 	  sbmdesc->flags = (unsigned char *)bfd_alloc (abfd, l);
 	  off = bfd_getl16 (sbm->flags);
-	  if (off > reclen - sbm_off
-	      || reclen - sbm_off - off < l)
+	  if (off > sbm_sz
+	      || sbm_sz - off < l)
 	    goto err;
 	  memcpy (sbmdesc->flags, (bfd_byte *) sbm + off, l);
 	  sbmdesc->nodes = (unsigned char *)bfd_alloc (abfd, 2 * sbm_len);
 	  off = bfd_getl16 (sbm->nodes);
-	  if (off > reclen - sbm_off
-	      || reclen - sbm_off - off < 2 * sbm_len)
+	  if (off > sbm_sz
+	      || sbm_sz - off < 2 * sbm_len)
 	    goto err;
 	  memcpy (sbmdesc->nodes, (bfd_byte *) sbm + off, 2 * sbm_len);
 	  off = bfd_getl16 (sbm->next);
 	  if (off != 0)
 	    {
-	      if (off > reclen - sbm_off
-		  || reclen - sbm_off - off < 2 * sbm_len)
+	      if (off > sbm_sz
+		  || sbm_sz - off < 2 * sbm_len)
 		goto err;
 	      /* Read the 'next' array.  */
 	      sbmdesc->next = (unsigned short *) bfd_alloc (abfd, 2 * sbm_len);
-- 
2.34.1