From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <SRS0=frtK=7L=gmail.com=amodra@sourceware.org>
Received: from mail-pj1-x1031.google.com (mail-pj1-x1031.google.com [IPv6:2607:f8b0:4864:20::1031])
	by sourceware.org (Postfix) with ESMTPS id 059733858280
	for <binutils@sourceware.org>; Sun, 19 Mar 2023 11:53:08 +0000 (GMT)
DMARC-Filter: OpenDMARC Filter v1.4.2 sourceware.org 059733858280
Authentication-Results: sourceware.org; dmarc=pass (p=none dis=none) header.from=gmail.com
Authentication-Results: sourceware.org; spf=pass smtp.mailfrom=gmail.com
Received: by mail-pj1-x1031.google.com with SMTP id p3-20020a17090a74c300b0023f69bc7a68so5196165pjl.4
        for <binutils@sourceware.org>; Sun, 19 Mar 2023 04:53:07 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20210112; t=1679226787;
        h=content-disposition:mime-version:message-id:subject:to:from:date
         :from:to:cc:subject:date:message-id:reply-to;
        bh=WRH7dsVLtuIfRMbvsXI9/0CEVSR/iVRRM8zbpLbE2jc=;
        b=ErAdVPqs+4hDyaZPP6YP7lgyrJzfgNjqeF4okEc0Z5LOS3Qb8HESDH2FTkIpzYl51i
         k3yTHyDvftH12ZaXVOFisSmRFGYcCzG6NAPJPuXh6WTRAa2BtfB1wFd8p5HTpQAIzt3J
         X0dqs4o/oclz1auvqtFbwdMWZToZ18LtQYDrbWDE0x8U/oEE74AejpwxOQE8mhDY1i+0
         69L4KN7yEaktjD6oUJad13+A2jkW1Dgg69UTU41TG8T1MncFUswcFW2nILgtiGd6PJ5C
         00kAlFuri11vimDJk5aKiYQsSSczxAxVCfsJNi6Kcw4wKlNUyYT7e55kM/vf8iqzoeFP
         m5kQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20210112; t=1679226787;
        h=content-disposition:mime-version:message-id:subject:to:from:date
         :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to;
        bh=WRH7dsVLtuIfRMbvsXI9/0CEVSR/iVRRM8zbpLbE2jc=;
        b=zgFctOM/zL57TPmLKSBwoenXN4fZgOOx4+rB//3+N7O9chz8cNblWyBCy07YcTn6mu
         Dl7lAzbCXTaKFW5I44e3ThCLUB/9LZoY0iaGWhaRrc5rhXIkTM0qFMUq1UtOwguJGT7a
         9GZ8+nvzzEhP3I9aYNh9/g1EJyYUKjP9SNB+yknJoT8IKiliMYaGda8GRRpmoQVCFQD6
         jUd0zqqZ6fxE3Pz1sjQC7S6zwK0/UhU7dcnnxS7zSZJHCq7HjY0RIdNWqs/V4ablOW5y
         D13xmONoBYja03WmCSoWLBtss0wGKZcxZaBBWq9TZg3GiRTg7ellwM0NzeC3oSq4P8yj
         7tsg==
X-Gm-Message-State: AO0yUKXE6zXC1dku3oMEEWgMi2UPrnvO4B8Fq6AdiOM4xntvdE2gXgKV
	WdWrot+IeGZ3Vy8vbtT84BayE/0fX48=
X-Google-Smtp-Source: AK7set+6rjrgwCpMOlWkYQ1zA6nTCG/1pGWc/85ADChjVqyyf4KETVs9hy11lRMcj4JyRr0p+kYNRg==
X-Received: by 2002:a05:6a21:7893:b0:c6:bd82:ea2d with SMTP id bf19-20020a056a21789300b000c6bd82ea2dmr17557826pzc.2.1679226786924;
        Sun, 19 Mar 2023 04:53:06 -0700 (PDT)
Received: from squeak.grove.modra.org ([2406:3400:51d:8cc0:5f2b:8556:6720:fff5])
        by smtp.gmail.com with ESMTPSA id j23-20020a62b617000000b005d22639b577sm4455874pff.165.2023.03.19.04.53.06
        for <binutils@sourceware.org>
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Sun, 19 Mar 2023 04:53:06 -0700 (PDT)
Received: by squeak.grove.modra.org (Postfix, from userid 1000)
	id 8394C1142CE7; Sun, 19 Mar 2023 22:23:04 +1030 (ACDT)
Date: Sun, 19 Mar 2023 22:23:04 +1030
From: Alan Modra <amodra@gmail.com>
To: binutils@sourceware.org
Subject: XCOFF archive sanity check
Message-ID: <ZBb3oOZ4J35lf6nK@squeak.grove.modra.org>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
X-Spam-Status: No, score=-3034.7 required=5.0 tests=BAYES_00,DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,FREEMAIL_FROM,GIT_PATCH_0,RCVD_IN_DNSWL_NONE,SPF_HELO_NONE,SPF_PASS,TXREP autolearn=ham autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on server2.sourceware.org
List-Id: <binutils.sourceware.org>

XCOFF archive elements are in a linked list.  Add a little more sanity
checking.  This of course doesn't stop the fuzzers finding a way to
make a loop, but this check is cheap.

	* coff-rs6000.c (_bfd_xcoff_openr_next_archived_file): Sanity
	check that next element isn't pointing back to the header.

diff --git a/bfd/coff-rs6000.c b/bfd/coff-rs6000.c
index 4b7b5d315df..735d434951e 100644
--- a/bfd/coff-rs6000.c
+++ b/bfd/coff-rs6000.c
@@ -1714,8 +1714,11 @@ _bfd_xcoff_openr_next_archived_file (bfd *archive, bfd *last_file)
 	  laststart -= SIZEOF_AR_HDR + arel->extra_size;
 	}
 
-      /* Sanity check that we aren't pointing into the previous element.  */
-      if (filestart != 0 && filestart >= laststart && filestart < lastend)
+      /* Sanity check that we aren't pointing into the previous element,
+	 or into the header.  */
+      if (filestart != 0
+	  && (filestart < SIZEOF_AR_FILE_HDR
+	      || (filestart >= laststart && filestart < lastend)))
 	{
 	  bfd_set_error (bfd_error_malformed_archive);
 	  return NULL;
@@ -1747,8 +1750,11 @@ _bfd_xcoff_openr_next_archived_file (bfd *archive, bfd *last_file)
 	  laststart -= SIZEOF_AR_HDR_BIG + arel->extra_size;
 	}
 
-      /* Sanity check that we aren't pointing into the previous element.  */
-      if (filestart != 0 && filestart >= laststart && filestart < lastend)
+      /* Sanity check that we aren't pointing into the previous element
+	 or into the header.  */
+      if (filestart != 0
+	  && (filestart < SIZEOF_AR_FILE_HDR_BIG
+	      || (filestart >= laststart && filestart < lastend)))
 	{
 	  bfd_set_error (bfd_error_malformed_archive);
 	  return NULL;

-- 
Alan Modra
Australia Development Lab, IBM