Large memory allocation reading fuzzed 64-bit archive

This patch adds a sanity check for the size of an armap.

	* archive64.c (_bfd_archive_64_bit_slurp_armap): Check parsed_size
	against file size before allocating memory.  Use bfd_alloc rather
	than bfd_zalloc for carsym/strings memory.

diff --git a/bfd/ChangeLog b/bfd/ChangeLog
index 821978cf6a8d1b573793774ab513ca1ecbaf3e77..9f1a9424ae490d6998294421b5402352e0ee4fa9 100644 (file)
--- a/bfd/ChangeLog
+++ b/bfd/ChangeLog
@@ -1,3 +1,9 @@
+2020-03-05  Alan Modra  <amodra@gmail.com>
+
+       * archive64.c (_bfd_archive_64_bit_slurp_armap): Check parsed_size
+       against file size before allocating memory.  Use bfd_alloc rather
+       than bfd_zalloc for carsym/strings memory.
+
 2020-03-04  Alan Modra  <amodra@gmail.com>
 
        * elf.c (elf_fake_sections): Ensure sh_addralign is such that

diff --git a/bfd/archive64.c b/bfd/archive64.c
index d4b0c3cf0cf659992196f934d57d09e716587ec1..5e1443932cef5e10f775cb060908766ccc36534d 100644 (file)
--- a/bfd/archive64.c
+++ b/bfd/archive64.c
@@ -47,6 +47,7 @@ _bfd_archive_64_bit_slurp_armap (bfd *abfd)
   bfd_byte *raw_armap = NULL;
   carsym *carsyms;
   bfd_size_type amt;
+  ufile_ptr filesize;
 
   ardata->symdefs = NULL;
 
@@ -76,6 +77,13 @@ _bfd_archive_64_bit_slurp_armap (bfd *abfd)
   parsed_size = mapdata->parsed_size;
   free (mapdata);
 
+  filesize = bfd_get_file_size (abfd);
+  if (filesize != 0 && parsed_size > filesize)
+    {
+      bfd_set_error (bfd_error_malformed_archive);
+      return FALSE;
+    }
+
   if (bfd_bread (int_buf, 8, abfd) != 8)
     {
       if (bfd_get_error () != bfd_error_system_call)
@@ -102,7 +110,7 @@ _bfd_archive_64_bit_slurp_armap (bfd *abfd)
       bfd_set_error (bfd_error_malformed_archive);
       return FALSE;
     }
-  ardata->symdefs = (struct carsym *) bfd_zalloc (abfd, amt);
+  ardata->symdefs = (struct carsym *) bfd_alloc (abfd, amt);
   if (ardata->symdefs == NULL)
     return FALSE;
   carsyms = ardata->symdefs;