windres: buffer overflow

bin_to_res_menuexitems can be called with random data offsets (and thus
remaining lengths), confusing code that expects 4-byte aligned data.
Prevent an item length adjustment for alignment exceeding the
remaining length and then overflowing.

diff --git a/binutils/resbin.c b/binutils/resbin.c
index 01046ec3f9149d17a64919084bede862946c4238..3bce84f6766c5e2f32ec1b1dc4494e32919833ac 100644 (file)
--- a/binutils/resbin.c
+++ b/binutils/resbin.c
@@ -433,6 +433,11 @@ bin_to_res_menuexitems (windres_bfd *wrbfd, const bfd_byte *data,
 
       itemlen = 14 + slen * 2 + 2;
       itemlen = (itemlen + 3) &~ 3;
+      /* Don't allow rounding up of itemlen to exceed length.  This
+        is an anti-fuzzer measure to cope with unexpected offsets and
+        lengths.   */
+      if (itemlen > length)
+       itemlen = length;
 
       if ((flags & 1) == 0)
        {