From: Alan Modra <amodra@gmail.com>
Date: Wed, 7 May 2025 23:50:23 +0000 (+0930)
Subject: windres: buffer overflow
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=4aaf663ded55a029f02f83952c0e96e6b1dd4e8d;p=thirdparty%2Fbinutils-gdb.git

windres: buffer overflow

bin_to_res_menuexitems can be called with random data offsets (and thus
remaining lengths), confusing code that expects 4-byte aligned data.
Prevent an item length adjustment for alignment exceeding the
remaining length and then overflowing.
---

diff --git a/binutils/resbin.c b/binutils/resbin.c
index 01046ec3f91..3bce84f6766 100644
--- a/binutils/resbin.c
+++ b/binutils/resbin.c
@@ -433,6 +433,11 @@ bin_to_res_menuexitems (windres_bfd *wrbfd, const bfd_byte *data,
 
       itemlen = 14 + slen * 2 + 2;
       itemlen = (itemlen + 3) &~ 3;
+      /* Don't allow rounding up of itemlen to exceed length.  This
+	 is an anti-fuzzer measure to cope with unexpected offsets and
+	 lengths.   */
+      if (itemlen > length)
+	itemlen = length;
 
       if ((flags & 1) == 0)
 	{