* readelf looping in process_archive
@ 2020-03-25 12:02 Alan Modra
2020-03-27 0:13 ` Alan Modra
0 siblings, 1 reply; 2+ messages in thread
From: Alan Modra @ 2020-03-25 12:02 UTC (permalink / raw)
To: binutils
With a crafted "negative" ar_hdr.ar_size it is possible to make
readelf loop. This patch catches the overflow in a file offset
calculation.
* readelf.c (process_archive): Prevent endless loop.
diff --git a/binutils/readelf.c b/binutils/readelf.c
index 1f0f49222f..9bc15e4d0b 100644
--- a/binutils/readelf.c
+++ b/binutils/readelf.c
@@ -20505,11 +20505,13 @@ process_archive (Filedata * filedata, bfd_boolean is_thin_archive)
{
free (name);
archive_file_offset = arch.next_arhdr_offset;
- arch.next_arhdr_offset += archive_file_size;
-
filedata->file_name = qualified_name;
if (! process_object (filedata))
ret = FALSE;
+ arch.next_arhdr_offset += archive_file_size;
+ /* Stop looping with "negative" archive_file_size. */
+ if (arch.next_arhdr_offset < archive_file_size)
+ break;
}
free (qualified_name);
--
Alan Modra
Australia Development Lab, IBM
^ permalink raw reply [flat|nested] 2+ messages in thread
* Re: readelf looping in process_archive
2020-03-25 12:02 readelf looping in process_archive Alan Modra
@ 2020-03-27 0:13 ` Alan Modra
0 siblings, 0 replies; 2+ messages in thread
From: Alan Modra @ 2020-03-27 0:13 UTC (permalink / raw)
To: binutils
This patch fixes a leak of qualified_name caused by 4c83662712 and a
double free introduced by fd486f32d1. Not breaking out of the loop
results in an error: "failed to seek to next archive header". That's
slightly better than silently preventing the possibility of endless
loops.
* readelf.c (process_archive): Don't double free qualified_name.
Don't break out of loop with "negative" archive_file_size, just
set file offset to max.
diff --git a/binutils/readelf.c b/binutils/readelf.c
index 9bc15e4d0b..eb41e10dae 100644
--- a/binutils/readelf.c
+++ b/binutils/readelf.c
@@ -20461,7 +20461,6 @@ process_archive (Filedata * filedata, bfd_boolean is_thin_archive)
close_file (member_filedata);
free (member_file_name);
- free (qualified_name);
}
else if (is_thin_archive)
{
@@ -20511,7 +20510,7 @@ process_archive (Filedata * filedata, bfd_boolean is_thin_archive)
arch.next_arhdr_offset += archive_file_size;
/* Stop looping with "negative" archive_file_size. */
if (arch.next_arhdr_offset < archive_file_size)
- break;
+ arch.next_arhdr_offset = -1ul;
}
free (qualified_name);
--
Alan Modra
Australia Development Lab, IBM
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2020-03-27 0:13 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-03-25 12:02 readelf looping in process_archive Alan Modra
2020-03-27 0:13 ` Alan Modra
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).