* macho-o archive sanity checks
@ 2021-11-01 12:05 Alan Modra
0 siblings, 0 replies; only message in thread
From: Alan Modra @ 2021-11-01 12:05 UTC (permalink / raw)
To: binutils
Anti-fuzzing checks.
* mach-o.c (bfd_mach_o_fat_archive_p): Sanity check entry offset
and size against file size.
diff --git a/bfd/mach-o.c b/bfd/mach-o.c
index 31a109b17a8..1f0d4700811 100644
--- a/bfd/mach-o.c
+++ b/bfd/mach-o.c
@@ -5509,6 +5509,7 @@ bfd_mach_o_fat_archive_p (bfd *abfd)
struct mach_o_fat_header_external hdr;
unsigned long i;
size_t amt;
+ ufile_ptr filesize;
if (bfd_seek (abfd, 0, SEEK_SET) != 0
|| bfd_bread (&hdr, sizeof (hdr), abfd) != sizeof (hdr))
@@ -5538,6 +5539,7 @@ bfd_mach_o_fat_archive_p (bfd *abfd)
if (adata->archentries == NULL)
goto error;
+ filesize = bfd_get_file_size (abfd);
for (i = 0; i < adata->nfat_arch; i++)
{
struct mach_o_fat_arch_external arch;
@@ -5548,6 +5550,15 @@ bfd_mach_o_fat_archive_p (bfd *abfd)
adata->archentries[i].offset = bfd_getb32 (arch.offset);
adata->archentries[i].size = bfd_getb32 (arch.size);
adata->archentries[i].align = bfd_getb32 (arch.align);
+ if (filesize != 0
+ && (adata->archentries[i].offset > filesize
+ || (adata->archentries[i].size
+ > filesize - adata->archentries[i].offset)))
+ {
+ bfd_release (abfd, adata);
+ bfd_set_error (bfd_error_malformed_archive);
+ return NULL;
+ }
}
abfd->tdata.mach_o_fat_data = adata;
--
Alan Modra
Australia Development Lab, IBM
^ permalink raw reply [flat|nested] only message in thread
only message in thread, other threads:[~2021-11-01 12:05 UTC | newest]
Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-11-01 12:05 macho-o archive sanity checks Alan Modra
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).