PR26188, buff overflow in coff_find_nearest_line_with_names

Message ID 20200701114719.GP30281@bubble.grove.modra.org
State New
Headers show
Series
  • PR26188, buff overflow in coff_find_nearest_line_with_names
Related show

Commit Message

David Faust via Binutils July 1, 2020, 11:47 a.m.
PR 26188
	* coffgen.c (coff_find_nearest_line_with_names): Sanity check
	raw syment index before dereferencing.


-- 
Alan Modra
Australia Development Lab, IBM

Patch

diff --git a/bfd/coffgen.c b/bfd/coffgen.c
index 94589b43d2..3291b693eb 100644
--- a/bfd/coffgen.c
+++ b/bfd/coffgen.c
@@ -2435,11 +2435,15 @@  coff_find_nearest_line_with_names (bfd *abfd,
 
 		  /* In XCOFF a debugging symbol can follow the
 		     function symbol.  */
-		  if (s->u.syment.n_scnum == N_DEBUG)
+		  if (((size_t) ((char *) s - (char *) obj_raw_syments (abfd))
+		       < obj_raw_syment_count (abfd) * sizeof (*s))
+		      && s->u.syment.n_scnum == N_DEBUG)
 		    s = s + 1 + s->u.syment.n_numaux;
 
 		  /* S should now point to the .bf of the function.  */
-		  if (s->u.syment.n_numaux)
+		  if (((size_t) ((char *) s - (char *) obj_raw_syments (abfd))
+		       < obj_raw_syment_count (abfd) * sizeof (*s))
+		      && s->u.syment.n_numaux)
 		    {
 		      /* The linenumber is stored in the auxent.  */
 		      union internal_auxent *a = &((s + 1)->u.auxent);