PR24644, OOM-Bug in _bfd_archive_64_bit_slurp_armap

author Alan Modra <amodra@gmail.com>

Wed, 7 Aug 2019 09:23:09 +0000 (18:53 +0930)

committer Alan Modra <amodra@gmail.com>

Wed, 7 Aug 2019 09:31:17 +0000 (19:01 +0930)
author Alan Modra <amodra@gmail.com>
Wed, 7 Aug 2019 09:23:09 +0000 (18:53 +0930)
committer Alan Modra <amodra@gmail.com>
Wed, 7 Aug 2019 09:31:17 +0000 (19:01 +0930)
diff --git a/bfd/ChangeLog b/bfd/ChangeLog

index ae30d7e..6958ed7 100644 (file)
--- a/bfd/ChangeLog
+++ b/bfd/ChangeLog
@@ -1,3 +1,9 @@
+2019-08-07  Alan Modra  <amodra@gmail.com>
+
+       PR 24644
+       * archive64.c (_bfd_archive_64_bit_slurp_armap): Properly check
+       for overflow in expressions involving nsymz.
+
  2019-08-01  Ilia Diachkov  <ilia.diachkov@optimitech.com>
  
         * elfnn-riscv.c (_bfd_riscv_relax_lui): Set lui relax safety area to
diff --git a/bfd/archive64.c b/bfd/archive64.c

index 42f6ed9..a2c628e 100644 (file)
--- a/bfd/archive64.c
+++ b/bfd/archive64.c
@@ -90,7 +90,14 @@ _bfd_archive_64_bit_slurp_armap (bfd *abfd)
    ptrsize = 8 * nsymz;
  
    amt = carsym_size + stringsize + 1;
-  if (carsym_size < nsymz || ptrsize < nsymz || amt < nsymz)
+  if (/* Catch overflow in stringsize (and ptrsize) expression.  */
+      nsymz >= (bfd_size_type) -1 / 8
+      || stringsize > parsed_size
+      /* Catch overflow in carsym_size expression.  */
+      || nsymz > (bfd_size_type) -1 / sizeof (carsym)
+      /* Catch overflow in amt expression.  */
+      || amt <= carsym_size
+      || amt <= stringsize)
      {
        bfd_set_error (bfd_error_malformed_archive);
        return FALSE;
author	Alan Modra <amodra@gmail.com>
	Wed, 7 Aug 2019 09:23:09 +0000 (18:53 +0930)
committer	Alan Modra <amodra@gmail.com>
	Wed, 7 Aug 2019 09:31:17 +0000 (19:01 +0930)
bfd/ChangeLog		patch \| blob \| history
bfd/archive64.c		patch \| blob \| history