From f14552e5fb480b35bb25fe32e1cec935df4acaae Mon Sep 17 00:00:00 2001
From: Cyrill Gorcunov <gorcunov@gmail.com>
Date: Tue, 18 Aug 2020 20:27:14 +0300
Subject: [PATCH] BR3392646: output/outobj.c: fix memory corruption in long
 object names

When we encode a name we put its length before it, the
storage is one byte width so the name can't be more
than UINT8_MAX (ie 255) bytes length.

Moreover if one provide a name more than RECORD_MAX then
we simply overwrite random memory.

Thus lets do as in other obj_check calls -- shrink the
size we gonna use. But unlike oter code lets yield a
warning as well.

Signed-off-by: Cyrill Gorcunov <gorcunov@gmail.com>
---
 output/outobj.c | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/output/outobj.c b/output/outobj.c
index 0d4d3110..f5ab7a24 100644
--- a/output/outobj.c
+++ b/output/outobj.c
@@ -424,6 +424,12 @@ static ObjRecord *obj_name(ObjRecord * orp, const char *name)
     int len = strlen(name);
     uint8_t *ptr;
 
+    if (len > UINT8_MAX) {
+        nasm_warn(WARN_OTHER, "cutting object name '%128s...' to %u bytes",
+                  name, UINT8_MAX);
+        len = UINT8_MAX;
+    }
+
     orp = obj_check(orp, len + 1);
     ptr = orp->buf + orp->used;
     *ptr++ = len;