readelf looping in process_archive

With a crafted "negative" ar_hdr.ar_size it is possible to make
readelf loop.  This patch catches the overflow in a file offset
calculation.

	* readelf.c (process_archive): Prevent endless loop.

diff --git a/binutils/ChangeLog b/binutils/ChangeLog
index accd265007efba09daec05da7cdc9fa90e5cd07a..2f551f10316efabae4c728ee4678d4c533dc4558 100644 (file)
--- a/binutils/ChangeLog
+++ b/binutils/ChangeLog
@@ -1,3 +1,7 @@
+2020-03-25  Alan Modra  <amodra@gmail.com>
+
+       * readelf.c (process_archive): Prevent endless loop.
+
 2020-03-24  H.J. Lu  <hongjiu.lu@intel.com>
 
        PR binutils/25708

diff --git a/binutils/readelf.c b/binutils/readelf.c
index 1f0f49222fd47b9e4d204a9f7c5ae08a3a8e259d..9bc15e4d0b2a7e800988e5b0c3251680cd064069 100644 (file)
--- a/binutils/readelf.c
+++ b/binutils/readelf.c
@@ -20505,11 +20505,13 @@ process_archive (Filedata * filedata, bfd_boolean is_thin_archive)
        {
          free (name);
          archive_file_offset = arch.next_arhdr_offset;
-         arch.next_arhdr_offset += archive_file_size;
-
          filedata->file_name = qualified_name;
          if (! process_object (filedata))
            ret = FALSE;
+         arch.next_arhdr_offset += archive_file_size;
+         /* Stop looping with "negative" archive_file_size.  */
+         if (arch.next_arhdr_offset < archive_file_size)
+           break;
        }
 
       free (qualified_name);