asan: stack-buffer-overflow vms-lib.c:367

* vms-lib.c (vms_traverse_index): Account for vms_kbn size when sanity checking keylen.
2024-11-23 18:14:13 +08:00 · 2021-05-05 13:33:00 +09:30 · 2021-05-05 13:33:00 +09:30 · c38c6234f2
commit c38c6234f2
parent 5318ba65f8
2 changed files with 6 additions and 1 deletions
--- a/bfd/ChangeLog
+++ b/bfd/ChangeLog
@ -1,3 +1,8 @@
+2021-05-05  Alan Modra  <amodra@gmail.com>
+
+	* vms-lib.c (vms_traverse_index): Account for vms_kbn size when
+	sanity checking keylen.
+
 2021-05-04  Nick Clifton  <nickc@redhat.com>

 	* libbfd.c (bfd_malloc): Provide some documenation.  Treat a size
--- a/bfd/vms-lib.c
+++ b/bfd/vms-lib.c
@ -357,7 +357,7 @@ vms_traverse_index (bfd *abfd, unsigned int vbn, struct carsym_mem *cs,
 		    return false;
 		  kbn = (struct vms_kbn *)(kblk + koff);
 		  klen = bfd_getl16 (kbn->keylen);
-		  if (klen > sizeof (kblk) - koff)
+		  if (klen > sizeof (kblk) - sizeof (struct vms_kbn) - koff)
 		    return false;
 		  kvbn = bfd_getl32 (kbn->rfa.vbn);
 		  koff = bfd_getl16 (kbn->rfa.offset);