From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail-pl1-x631.google.com (mail-pl1-x631.google.com [IPv6:2607:f8b0:4864:20::631]) by sourceware.org (Postfix) with ESMTPS id 5C6B73858D33 for ; Wed, 19 Apr 2023 23:07:39 +0000 (GMT) DMARC-Filter: OpenDMARC Filter v1.4.2 sourceware.org 5C6B73858D33 Authentication-Results: sourceware.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: sourceware.org; spf=pass smtp.mailfrom=gmail.com Received: by mail-pl1-x631.google.com with SMTP id d9443c01a7336-1a677dffb37so4791585ad.2 for ; Wed, 19 Apr 2023 16:07:39 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20221208; t=1681945658; x=1684537658; h=content-disposition:mime-version:message-id:subject:to:from:date :from:to:cc:subject:date:message-id:reply-to; bh=DokwkpR48jE6ocO7KjEaKewRYCLdH3tip1kc3EUrcD0=; b=dlvGi0AagB2/8EP+dCAVbzZnwey0jBbUHBfeI/c7LO11WNit/ITSX89CGNlMLVjaPv 5HTChQQ0mEVEycGj7OwtjX7m0phkb9sFyf32dK3jEbZuTTcSFzo8EVRDgXJd8xHyFTEj O/qMVRN7uGLZ3Hen5Fzo+uH5LejBBsCZy9waGmfjqRaQAb/HUHybdoLLjiHHvNUbRWoG 5J2ebt5EPR4DYhEQhm/YnQEiD337NtBn3GYFwnOn8ltos4EEMduwYGT+gTax4Y0R84gk MKVzCP1EmeGuJjJr5qmO4vQFyHeghAbKEand77ZYDXnSOi4RW4jSIeCKUUT72RWoy195 BoBA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1681945658; x=1684537658; h=content-disposition:mime-version:message-id:subject:to:from:date :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=DokwkpR48jE6ocO7KjEaKewRYCLdH3tip1kc3EUrcD0=; b=kUy5P9jXWw/q6BzfDxGSzQZFGKf13pNhyBSeoUF6AI0C0+Wzc/cFcByXz5rUf5I+FR Pr7ilQKir+3SHZuvCCPzF5ZpEDef3fsfIkOs5WhOwxjiO8T9W/Sh9+Pu9oBR6m+AHJpA dlO1liW3UD3g+K7wKgHLcwPaHJXe8x/wHeiXwaYN33kuL0DxFSPrBp5MqJoH6SjnViDU KPNY+vjc3Bd46zSubcCOy8d3q7lKgb4/hxBo39QUXiw2Nw/lTW8w/C3WJywaUmXd+w4O DVdDN17HvRFxA1XOnctoSV0V+y9BN3gNNCIFIuMgvVj3hs5Qd9ZGeWjuMgSf4zw7KOLx f7/Q== X-Gm-Message-State: AAQBX9dNc53958v5t5y56b9TjYbOiwEZ/fIOEIneU6bNmZQkC9PxSs/X UeUM4LpnOLptSe9LbDQaquw2/Ts9QaI= X-Google-Smtp-Source: AKy350Y1epSjE+cEt/P+QRhV+nqNnRkl6+wJFAMFxjFhjV5Prxg2ShLyXdV+1rnPo9yzxL8V0FKbVg== X-Received: by 2002:a17:902:ab91:b0:1a4:f295:32fa with SMTP id f17-20020a170902ab9100b001a4f29532famr6414290plr.15.1681945657726; Wed, 19 Apr 2023 16:07:37 -0700 (PDT) Received: from squeak.grove.modra.org ([2406:3400:51d:8cc0:49d0:c85a:52c0:93b9]) by smtp.gmail.com with ESMTPSA id z15-20020a1709027e8f00b001a6d781eda6sm2270pla.120.2023.04.19.16.07.36 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 19 Apr 2023 16:07:37 -0700 (PDT) Received: by squeak.grove.modra.org (Postfix, from userid 1000) id F202F114084F; Thu, 20 Apr 2023 08:37:34 +0930 (ACST) Date: Thu, 20 Apr 2023 08:37:34 +0930 From: Alan Modra To: binutils@sourceware.org Subject: Yet another out-of-memory fuzzed object Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline X-Spam-Status: No, score=-3034.5 required=5.0 tests=BAYES_00,DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,FREEMAIL_FROM,GIT_PATCH_0,RCVD_IN_DNSWL_NONE,SPF_HELO_NONE,SPF_PASS,TXREP,T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on server2.sourceware.org List-Id: Do I care about out of memory conditions triggered by fuzzers? Not much. Your operating system ought to be able to handle it by killing the memory hog. Oh well, this one was an element of a coff-alpha archive that said it was a little less that 2**64 in size. The coff-alpha compression scheme expands at most 8 times, so we can do better in bfd_get_file_size. * bfdio.c (bfd_get_file_size): Assume elements in compressed archive can only expand a maximum of eight times. * coffgen.c (_bfd_coff_get_external_symbols): Sanity check size of symbol table agains file size. diff --git a/bfd/bfdio.c b/bfd/bfdio.c index 337d4a10b66..990d349d428 100644 --- a/bfd/bfdio.c +++ b/bfd/bfdio.c @@ -524,6 +524,7 @@ ufile_ptr bfd_get_file_size (bfd *abfd) { ufile_ptr file_size, archive_size = (ufile_ptr) -1; + unsigned int compression_p2 = 0; if (abfd->my_archive != NULL && !bfd_is_thin_archive (abfd->my_archive)) @@ -532,17 +533,17 @@ bfd_get_file_size (bfd *abfd) if (adata != NULL) { archive_size = adata->parsed_size; - /* If the archive is compressed we can't compare against - file size. */ + /* If the archive is compressed, assume an element won't + expand more than eight times file size. */ if (adata->arch_header != NULL && memcmp (((struct ar_hdr *) adata->arch_header)->ar_fmag, "Z\012", 2) == 0) - return archive_size; + compression_p2 = 3; abfd = abfd->my_archive; } } - file_size = bfd_get_size (abfd); + file_size = bfd_get_size (abfd) << compression_p2; if (archive_size < file_size) return archive_size; return file_size; diff --git a/bfd/coffgen.c b/bfd/coffgen.c index 4725406b5ae..05f2640abe2 100644 --- a/bfd/coffgen.c +++ b/bfd/coffgen.c @@ -1551,6 +1551,7 @@ _bfd_coff_get_external_symbols (bfd *abfd) size_t symesz; size_t size; void * syms; + ufile_ptr filesize; if (obj_coff_external_syms (abfd) != NULL) return true; @@ -1565,6 +1566,15 @@ _bfd_coff_get_external_symbols (bfd *abfd) if (size == 0) return true; + filesize = bfd_get_file_size (abfd); + if (filesize != 0 + && ((ufile_ptr) obj_sym_filepos (abfd) > filesize + || size > filesize - obj_sym_filepos (abfd))) + { + bfd_set_error (bfd_error_file_truncated); + return false; + } + if (bfd_seek (abfd, obj_sym_filepos (abfd), SEEK_SET) != 0) return false; syms = _bfd_malloc_and_read (abfd, size, size); -- Alan Modra Australia Development Lab, IBM