alpha-coff: large memory allocation

	* coff-alpha.c (alpha_ecoff_get_elt_at_filepos): Provide an upper
	limit to decompressed element size.

diff --git a/bfd/ChangeLog b/bfd/ChangeLog
index d37c2cd98d918877195b086f287058646931acb8..683bcfed85c879bea9b9e941204d841132a4f8ea 100644 (file)
--- a/bfd/ChangeLog
+++ b/bfd/ChangeLog
@@ -1,3 +1,8 @@
+2020-03-02  Alan Modra  <amodra@gmail.com>
+
+       * coff-alpha.c (alpha_ecoff_get_elt_at_filepos): Provide an upper
+       limit to decompressed element size.
+
 2020-03-02  Alan Modra  <amodra@gmail.com>
 
        * vms-lib.c (vms_traverse_index): Add recur_count param and

diff --git a/bfd/coff-alpha.c b/bfd/coff-alpha.c
index 4b39bcc999dc0d49d3747bc9df5e80f5360a9fb8..9a3ac089a672a6214b274835c22171182265477a 100644 (file)
--- a/bfd/coff-alpha.c
+++ b/bfd/coff-alpha.c
@@ -2050,6 +2050,7 @@ alpha_ecoff_get_elt_at_filepos (bfd *archive, file_ptr filepos)
   bfd_size_type size;
   bfd_byte *buf, *p;
   struct bfd_in_memory *bim;
+  ufile_ptr filesize;
 
   buf = NULL;
   nbfd = _bfd_get_elt_at_filepos (archive, filepos);
@@ -2083,6 +2084,14 @@ alpha_ecoff_get_elt_at_filepos (bfd *archive, file_ptr filepos)
     goto error_return;
   size = H_GET_64 (nbfd, ab);
 
+  /* The decompression algorithm will at most expand by eight times.  */
+  filesize = bfd_get_file_size (archive);
+  if (filesize != 0 && size / 8 > filesize)
+    {
+      bfd_set_error (bfd_error_malformed_archive);
+      goto error_return;
+    }
+
   if (size != 0)
     {
       bfd_size_type left;