Yet another ecoff fuzzed object fix

* ecoff.c (_bfd_ecoff_slurp_symbol_table): Sanity check fdr_ptr csym against remaining space for symbols. Error on out of bounds fdr_ptr fields.
2023-06-05 16:21:25 +09:30
parent 5b207b9194
commit 6fc018e9e5
1 changed files with 9 additions and 3 deletions
--- a/bfd/ecoff.c
+++ b/bfd/ecoff.c
@@ -956,13 +956,19 @@ _bfd_ecoff_slurp_symbol_table (bfd *abfd)
      char *lraw_end;
      HDRR *symhdr = &ecoff_data (abfd)->debug_info.symbolic_header;

+      if (fdr_ptr->csym == 0)
+	continue;
      if (fdr_ptr->isymBase < 0
 	  || fdr_ptr->isymBase > symhdr->isymMax
-	  || fdr_ptr->csym <= 0
-	  || fdr_ptr->csym > symhdr->isymMax - fdr_ptr->isymBase
+	  || fdr_ptr->csym < 0
+	  || fdr_ptr->csym > ((long) bfd_get_symcount (abfd)
+			      - (internal_ptr - internal))
 	  || fdr_ptr->issBase < 0
 	  || fdr_ptr->issBase > symhdr->issMax)
-	continue;
+	{
+	  bfd_set_error (bfd_error_bad_value);
+	  return false;
+	}
      lraw_src = ((char *) ecoff_data (abfd)->debug_info.external_sym
 		  + fdr_ptr->isymBase * external_sym_size);
      lraw_end = lraw_src + fdr_ptr->csym * external_sym_size;