* Large memory allocation reading fuzzed 64-bit archive
@ 2020-03-05 0:47 Alan Modra
0 siblings, 0 replies; only message in thread
From: Alan Modra @ 2020-03-05 0:47 UTC (permalink / raw)
To: binutils
This patch adds a sanity check for the size of an armap.
* archive64.c (_bfd_archive_64_bit_slurp_armap): Check parsed_size
against file size before allocating memory. Use bfd_alloc rather
than bfd_zalloc for carsym/strings memory.
diff --git a/bfd/archive64.c b/bfd/archive64.c
index d4b0c3cf0c..5e1443932c 100644
--- a/bfd/archive64.c
+++ b/bfd/archive64.c
@@ -47,6 +47,7 @@ _bfd_archive_64_bit_slurp_armap (bfd *abfd)
bfd_byte *raw_armap = NULL;
carsym *carsyms;
bfd_size_type amt;
+ ufile_ptr filesize;
ardata->symdefs = NULL;
@@ -76,6 +77,13 @@ _bfd_archive_64_bit_slurp_armap (bfd *abfd)
parsed_size = mapdata->parsed_size;
free (mapdata);
+ filesize = bfd_get_file_size (abfd);
+ if (filesize != 0 && parsed_size > filesize)
+ {
+ bfd_set_error (bfd_error_malformed_archive);
+ return FALSE;
+ }
+
if (bfd_bread (int_buf, 8, abfd) != 8)
{
if (bfd_get_error () != bfd_error_system_call)
@@ -102,7 +110,7 @@ _bfd_archive_64_bit_slurp_armap (bfd *abfd)
bfd_set_error (bfd_error_malformed_archive);
return FALSE;
}
- ardata->symdefs = (struct carsym *) bfd_zalloc (abfd, amt);
+ ardata->symdefs = (struct carsym *) bfd_alloc (abfd, amt);
if (ardata->symdefs == NULL)
return FALSE;
carsyms = ardata->symdefs;
--
Alan Modra
Australia Development Lab, IBM
^ permalink raw reply [flat|nested] only message in thread
only message in thread, other threads:[~2020-03-05 0:47 UTC | newest]
Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-03-05 0:47 Large memory allocation reading fuzzed 64-bit archive Alan Modra
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).