From: Alan Modra <amodra@sourceware.org>
To: bfd-cvs@sourceware.org
Subject: [binutils-gdb] Yet another out-of-memory fuzzed object
Date: Wed, 19 Apr 2023 23:34:40 +0000 (GMT) [thread overview]
Message-ID: <20230419233440.99BA93858D37@sourceware.org> (raw)
https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=3b37f0f1b86cc1fb3ba9cc6d89695109db7f829a
commit 3b37f0f1b86cc1fb3ba9cc6d89695109db7f829a
Author: Alan Modra <amodra@gmail.com>
Date: Wed Apr 19 22:32:15 2023 +0930
Yet another out-of-memory fuzzed object
Do I care about out of memory conditions triggered by fuzzers? Not
much. Your operating system ought to be able to handle it by killing
the memory hog. Oh well, this one was an element of a coff-alpha
archive that said it was a little less that 2**64 in size. The
coff-alpha compression scheme expands at most 8 times, so we can do
better in bfd_get_file_size.
* bfdio.c (bfd_get_file_size): Assume elements in compressed
archive can only expand a maximum of eight times.
* coffgen.c (_bfd_coff_get_external_symbols): Sanity check
size of symbol table agains file size.
Diff:
---
bfd/bfdio.c | 9 +++++----
bfd/coffgen.c | 10 ++++++++++
2 files changed, 15 insertions(+), 4 deletions(-)
diff --git a/bfd/bfdio.c b/bfd/bfdio.c
index 337d4a10b66..990d349d428 100644
--- a/bfd/bfdio.c
+++ b/bfd/bfdio.c
@@ -524,6 +524,7 @@ ufile_ptr
bfd_get_file_size (bfd *abfd)
{
ufile_ptr file_size, archive_size = (ufile_ptr) -1;
+ unsigned int compression_p2 = 0;
if (abfd->my_archive != NULL
&& !bfd_is_thin_archive (abfd->my_archive))
@@ -532,17 +533,17 @@ bfd_get_file_size (bfd *abfd)
if (adata != NULL)
{
archive_size = adata->parsed_size;
- /* If the archive is compressed we can't compare against
- file size. */
+ /* If the archive is compressed, assume an element won't
+ expand more than eight times file size. */
if (adata->arch_header != NULL
&& memcmp (((struct ar_hdr *) adata->arch_header)->ar_fmag,
"Z\012", 2) == 0)
- return archive_size;
+ compression_p2 = 3;
abfd = abfd->my_archive;
}
}
- file_size = bfd_get_size (abfd);
+ file_size = bfd_get_size (abfd) << compression_p2;
if (archive_size < file_size)
return archive_size;
return file_size;
diff --git a/bfd/coffgen.c b/bfd/coffgen.c
index 4725406b5ae..05f2640abe2 100644
--- a/bfd/coffgen.c
+++ b/bfd/coffgen.c
@@ -1551,6 +1551,7 @@ _bfd_coff_get_external_symbols (bfd *abfd)
size_t symesz;
size_t size;
void * syms;
+ ufile_ptr filesize;
if (obj_coff_external_syms (abfd) != NULL)
return true;
@@ -1565,6 +1566,15 @@ _bfd_coff_get_external_symbols (bfd *abfd)
if (size == 0)
return true;
+ filesize = bfd_get_file_size (abfd);
+ if (filesize != 0
+ && ((ufile_ptr) obj_sym_filepos (abfd) > filesize
+ || size > filesize - obj_sym_filepos (abfd)))
+ {
+ bfd_set_error (bfd_error_file_truncated);
+ return false;
+ }
+
if (bfd_seek (abfd, obj_sym_filepos (abfd), SEEK_SET) != 0)
return false;
syms = _bfd_malloc_and_read (abfd, size, size);
reply other threads:[~2023-04-19 23:34 UTC|newest]
Thread overview: [no followups] expand[flat|nested] mbox.gz Atom feed
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20230419233440.99BA93858D37@sourceware.org \
--to=amodra@sourceware.org \
--cc=bfd-cvs@sourceware.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).