PR30657, gprof heap buffer overflow

PR 30657
	* cg_arcs.c (cg_assemble): Sanity check find_call addresses.
	* i386.c (i386_find_call): Don't access past end of core_text_space.
	* aarch64.c (aarch64_find_call): Round up lowpc, round down highpc.
	* alpha.c (alpha_find_call): Likewise.
	* mips.c (mips_find_call): Likewise.
	* sparc.c (sparc_find_call): Likewise.
	* vax.c (vax_find_call): Sanity check core_text_space accesses.

gprof/vax.c

@@ -252,6 +252,8 @@ vax_find_call (Sym *parent, bfd_vma p_lowpc, bfd_vma p_highpc)
 			  (unsigned long) p_highpc));
   for (pc = p_lowpc; pc < p_highpc; pc += length)
     {
+      unsigned char *operand;
+
       length = 1;
       instructp = ((unsigned char *) core_text_space
 		   + pc - core_text_sect->vma);
@@ -263,7 +265,10 @@ vax_find_call (Sym *parent, bfd_vma p_lowpc, bfd_vma p_highpc)
 	   */
 	  DBG (CALLDEBUG,
 	       printf ("[findcall]\t0x%lx:calls", (unsigned long) pc));
-	  firstmode = vax_operandmode (instructp + length);
+	  if (pc - core_text_sect->vma + length >= core_text_sect->size)
+	    goto botched;
+	  operand = instructp + length;
+	  firstmode = vax_operandmode (operand);
 	  switch (firstmode)
 	    {
 	    case literal:
@@ -272,8 +277,11 @@ vax_find_call (Sym *parent, bfd_vma p_lowpc, bfd_vma p_highpc)
 	    default:
 	      goto botched;
 	    }
-	  length += vax_operandlength (instructp + length);
-	  mode = vax_operandmode (instructp + length);
+	  length += vax_operandlength (operand);
+	  if (pc - core_text_sect->vma + length >= core_text_sect->size)
+	    goto botched;
+	  operand = instructp + length;
+	  mode = vax_operandmode (operand);
 	  DBG (CALLDEBUG,
 	       printf ("\tfirst operand is %s", vax_operandname (firstmode));
 	       printf ("\tsecond operand is %s\n", vax_operandname (mode)));
@@ -294,8 +302,10 @@ vax_find_call (Sym *parent, bfd_vma p_lowpc, bfd_vma p_highpc)
 	       *      [are there others that we miss?,
 	       *       e.g. arrays of pointers to functions???]
 	       */
+	      length += vax_operandlength (operand);
+	      if (pc - core_text_sect->vma + length > core_text_sect->size)
+		goto botched;
 	      arc_add (parent, &indirectchild, (unsigned long) 0);
-	      length += vax_operandlength (instructp + length);
 	      continue;
 	    case byterel:
 	    case wordrel:
@@ -305,7 +315,10 @@ vax_find_call (Sym *parent, bfd_vma p_lowpc, bfd_vma p_highpc)
 	       *      check that this is the address of
 	       *      a function.
 	       */
-	      destpc = pc + vax_offset (instructp + length);
+	      length += vax_operandlength (operand);
+	      if (pc - core_text_sect->vma + length > core_text_sect->size)
+		goto botched;
+	      destpc = pc + vax_offset (operand);
 	      if (hist_check_address (destpc))
 		{
 		  child = sym_lookup (&symtab, destpc);
@@ -324,7 +337,6 @@ vax_find_call (Sym *parent, bfd_vma p_lowpc, bfd_vma p_highpc)
 		           *    a hit
 		           */
 		          arc_add (parent, child, (unsigned long) 0);
-		          length += vax_operandlength (instructp + length);
 		          continue;
 		        }
 		    }