readelf looping in process

public inbox for binutils@sourceware.org
 help / color / mirror / Atom feed

* readelf looping in process_archive
@ 2020-03-25 12:02 Alan Modra
  2020-03-27  0:13 ` Alan Modra
  0 siblings, 1 reply; 2+ messages in thread
From: Alan Modra @ 2020-03-25 12:02 UTC (permalink / raw)
  To: binutils

With a crafted "negative" ar_hdr.ar_size it is possible to make
readelf loop.  This patch catches the overflow in a file offset
calculation.

	* readelf.c (process_archive): Prevent endless loop.

diff --git a/binutils/readelf.c b/binutils/readelf.c
index 1f0f49222f..9bc15e4d0b 100644
--- a/binutils/readelf.c
+++ b/binutils/readelf.c
@@ -20505,11 +20505,13 @@ process_archive (Filedata * filedata, bfd_boolean is_thin_archive)
 	{
 	  free (name);
 	  archive_file_offset = arch.next_arhdr_offset;
-	  arch.next_arhdr_offset += archive_file_size;
-
 	  filedata->file_name = qualified_name;
 	  if (! process_object (filedata))
 	    ret = FALSE;
+	  arch.next_arhdr_offset += archive_file_size;
+	  /* Stop looping with "negative" archive_file_size.  */
+	  if (arch.next_arhdr_offset < archive_file_size)
+	    break;
 	}
 
       free (qualified_name);

-- 
Alan Modra
Australia Development Lab, IBM

^ permalink raw reply	[flat|nested] 2+ messages in thread

* Re: readelf looping in process_archive
  2020-03-25 12:02 readelf looping in process_archive Alan Modra
@ 2020-03-27  0:13 ` Alan Modra
  0 siblings, 0 replies; 2+ messages in thread
From: Alan Modra @ 2020-03-27  0:13 UTC (permalink / raw)
  To: binutils

This patch fixes a leak of qualified_name caused by 4c83662712 and a
double free introduced by fd486f32d1.  Not breaking out of the loop
results in an error: "failed to seek to next archive header".  That's
slightly better than silently preventing the possibility of endless
loops.

	* readelf.c (process_archive): Don't double free qualified_name.
	Don't break out of loop with "negative" archive_file_size, just
	set file offset to max.

diff --git a/binutils/readelf.c b/binutils/readelf.c
index 9bc15e4d0b..eb41e10dae 100644
--- a/binutils/readelf.c
+++ b/binutils/readelf.c
@@ -20461,7 +20461,6 @@ process_archive (Filedata * filedata, bfd_boolean is_thin_archive)
 
 	  close_file (member_filedata);
 	  free (member_file_name);
-	  free (qualified_name);
 	}
       else if (is_thin_archive)
 	{
@@ -20511,7 +20510,7 @@ process_archive (Filedata * filedata, bfd_boolean is_thin_archive)
 	  arch.next_arhdr_offset += archive_file_size;
 	  /* Stop looping with "negative" archive_file_size.  */
 	  if (arch.next_arhdr_offset < archive_file_size)
-	    break;
+	    arch.next_arhdr_offset = -1ul;
 	}
 
       free (qualified_name);

-- 
Alan Modra
Australia Development Lab, IBM

^ permalink raw reply	[flat|nested] 2+ messages in thread

end of thread, other threads:[~2020-03-27  0:13 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-03-25 12:02 readelf looping in process_archive Alan Modra
2020-03-27  0:13 ` Alan Modra

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).