From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <amodra@sourceware.org>
Received: by sourceware.org (Postfix, from userid 1062)
 id 4A62E3850855; Sun, 19 Mar 2023 11:54:17 +0000 (GMT)
DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org 4A62E3850855
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
From: Alan Modra <amodra@sourceware.org>
To: bfd-cvs@sourceware.org
Subject: [binutils-gdb] XCOFF archive sanity check
X-Act-Checkin: binutils-gdb
X-Git-Author: Alan Modra <amodra@gmail.com>
X-Git-Refname: refs/heads/master
X-Git-Oldrev: 5f51eb9397768a6d93e523e05f5b7e8f78465c71
X-Git-Newrev: 99b847478c35b64ffddaf7af53c348217d037cb2
Message-Id: <20230319115417.4A62E3850855@sourceware.org>
Date: Sun, 19 Mar 2023 11:54:17 +0000 (GMT)
X-BeenThere: binutils-cvs@sourceware.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Binutils-cvs mailing list <binutils-cvs.sourceware.org>
List-Unsubscribe: <https://sourceware.org/mailman/options/binutils-cvs>,
 <mailto:binutils-cvs-request@sourceware.org?subject=unsubscribe>
List-Archive: <https://sourceware.org/pipermail/binutils-cvs/>
List-Help: <mailto:binutils-cvs-request@sourceware.org?subject=help>
List-Subscribe: <https://sourceware.org/mailman/listinfo/binutils-cvs>,
 <mailto:binutils-cvs-request@sourceware.org?subject=subscribe>
X-List-Received-Date: Sun, 19 Mar 2023 11:54:17 -0000

https://sourceware.org/git/gitweb.cgi?p=3Dbinutils-gdb.git;h=3D99b847478c35=
b64ffddaf7af53c348217d037cb2

commit 99b847478c35b64ffddaf7af53c348217d037cb2
Author: Alan Modra <amodra@gmail.com>
Date:   Sat Mar 18 16:34:08 2023 +1030

    XCOFF archive sanity check
   =20
    XCOFF archive elements are in a linked list.  Add a little more sanity
    checking.  This of course doesn't stop the fuzzers finding a way to
    make a loop, but this check is cheap.
   =20
            * coff-rs6000.c (_bfd_xcoff_openr_next_archived_file): Sanity
            check that next element isn't pointing back to the header.

Diff:
---
 bfd/coff-rs6000.c | 14 ++++++++++----
 1 file changed, 10 insertions(+), 4 deletions(-)

diff --git a/bfd/coff-rs6000.c b/bfd/coff-rs6000.c
index 4b7b5d315df..735d434951e 100644
--- a/bfd/coff-rs6000.c
+++ b/bfd/coff-rs6000.c
@@ -1714,8 +1714,11 @@ _bfd_xcoff_openr_next_archived_file (bfd *archive, b=
fd *last_file)
 	  laststart -=3D SIZEOF_AR_HDR + arel->extra_size;
 	}
=20
-      /* Sanity check that we aren't pointing into the previous element.  =
*/
-      if (filestart !=3D 0 && filestart >=3D laststart && filestart < last=
end)
+      /* Sanity check that we aren't pointing into the previous element,
+	 or into the header.  */
+      if (filestart !=3D 0
+	  && (filestart < SIZEOF_AR_FILE_HDR
+	      || (filestart >=3D laststart && filestart < lastend)))
 	{
 	  bfd_set_error (bfd_error_malformed_archive);
 	  return NULL;
@@ -1747,8 +1750,11 @@ _bfd_xcoff_openr_next_archived_file (bfd *archive, b=
fd *last_file)
 	  laststart -=3D SIZEOF_AR_HDR_BIG + arel->extra_size;
 	}
=20
-      /* Sanity check that we aren't pointing into the previous element.  =
*/
-      if (filestart !=3D 0 && filestart >=3D laststart && filestart < last=
end)
+      /* Sanity check that we aren't pointing into the previous element
+	 or into the header.  */
+      if (filestart !=3D 0
+	  && (filestart < SIZEOF_AR_FILE_HDR_BIG
+	      || (filestart >=3D laststart && filestart < lastend)))
 	{
 	  bfd_set_error (bfd_error_malformed_archive);
 	  return NULL;