From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (qmail 57682 invoked by alias); 26 Feb 2020 00:04:16 -0000 Mailing-List: contact binutils-help@sourceware.org; run by ezmlm Precedence: bulk List-Id: List-Subscribe: List-Archive: List-Post: List-Help: , Sender: binutils-owner@sourceware.org Received: (qmail 57665 invoked by uid 89); 26 Feb 2020 00:04:16 -0000 Authentication-Results: sourceware.org; auth=none X-Spam-SWARE-Status: No, score=-26.9 required=5.0 tests=BAYES_00,FREEMAIL_FROM,GIT_PATCH_0,GIT_PATCH_1,GIT_PATCH_2,GIT_PATCH_3,RCVD_IN_DNSWL_NONE,SPF_PASS autolearn=ham version=3.3.1 spammy=compressed, arh, harm X-HELO: mail-pf1-f174.google.com Received: from mail-pf1-f174.google.com (HELO mail-pf1-f174.google.com) (209.85.210.174) by sourceware.org (qpsmtpd/0.93/v0.84-503-g423c35a) with ESMTP; Wed, 26 Feb 2020 00:04:15 +0000 Received: by mail-pf1-f174.google.com with SMTP id x185so442288pfc.5 for ; Tue, 25 Feb 2020 16:04:14 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=date:from:to:subject:message-id:mime-version:content-disposition :user-agent; bh=hdJzX4IkRBvKm+65NQqY1GtkePUzmr+IrB6E6RGvEkk=; b=sMdiv6Cg8Kz5pxiAnK9NviLIep+/ZfQ0diSBYXeoVEpN8POJxMpQTsn5/EaNDJH9Qd st6OA5zj/vhKtGPeSR2340yvP2+cQG/GN8XXL6MK8MKAci90V6bTNwXR7ObtbiSBEJds 2yDArN39szrvBoloPJ0l/Wc8xm0K7NmxlcGYsLR+7Y6gqwmRzr4tlw74my/XCF+srxwZ wEvUXDIo9UTdjVFg0tLV9Pp67d5aN9LDIsQWZf3YmsYzXZBLIIjXnLpIfD3rM57yVruB BI3XcJvXskRUR35fELznYSiXoO9r0vUacahVXnIJqCTGGadtPT5a2jWKLgBaehyf1cWa 2OFQ== Return-Path: Received: from bubble.grove.modra.org ([2406:3400:51d:8cc0:a0d2:f6ab:12f5:1b30]) by smtp.gmail.com with ESMTPSA id b98sm231878pjc.16.2020.02.25.16.04.11 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 25 Feb 2020 16:04:12 -0800 (PST) Received: by bubble.grove.modra.org (Postfix, from userid 1000) id 1FDA98085E; Wed, 26 Feb 2020 10:34:08 +1030 (ACDT) Date: Wed, 26 Feb 2020 00:04:00 -0000 From: Alan Modra To: binutils@sourceware.org Subject: Limit bogus archive parsed_size Message-ID: <20200226000407.GA5750@bubble.grove.modra.org> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.9.4 (2018-02-28) X-IsSubscribed: yes X-SW-Source: 2020-02/txt/msg00540.txt.bz2 Archive element size is given by data in the archive, and thus is subject to attack by fuzzers. The only harm this allows is allocation of huge amounts of memory, but some systems don't handle that well. So limit archive element size to archive file size. * bfdio.c (bfd_get_file_size): Ignore bogus archive element sizes. diff --git a/bfd/bfdio.c b/bfd/bfdio.c index 49e0958526..71ac17ec51 100644 --- a/bfd/bfdio.c +++ b/bfd/bfdio.c @@ -25,6 +25,7 @@ #include #include "bfd.h" #include "libbfd.h" +#include "aout/ar.h" #ifndef S_IXUSR #define S_IXUSR 0100 /* Execute by owner. */ @@ -460,11 +461,24 @@ DESCRIPTION ufile_ptr bfd_get_file_size (bfd *abfd) { + ufile_ptr file_size, archive_size = (ufile_ptr) -1; + if (abfd->my_archive != NULL && !bfd_is_thin_archive (abfd->my_archive)) - return arelt_size (abfd); + { + struct areltdata *adata = (struct areltdata *) abfd->arelt_data; + archive_size = adata->parsed_size; + /* If the archive is compressed we can't compare against file size. */ + if (memcmp (((struct ar_hdr *) adata->arch_header)->ar_fmag, + "Z\012", 2) == 0) + return archive_size; + abfd = abfd->my_archive; + } - return bfd_get_size (abfd); + file_size = bfd_get_size (abfd); + if (archive_size < file_size) + return archive_size; + return file_size; } /* -- Alan Modra Australia Development Lab, IBM