XCOFF archive sanity check

XCOFF archive elements are in a linked list.  Add a little more sanity
checking.  This of course doesn't stop the fuzzers finding a way to
make a loop, but this check is cheap.

	* coff-rs6000.c (_bfd_xcoff_openr_next_archived_file): Sanity
	check that next element isn't pointing back to the header.

diff --git a/bfd/coff-rs6000.c b/bfd/coff-rs6000.c
index 4b7b5d315df123c3549bce23d47fe8a01a80358e..735d434951eddf0f291b1affb691fa73e44b4be2 100644 (file)
--- a/bfd/coff-rs6000.c
+++ b/bfd/coff-rs6000.c
@@ -1714,8 +1714,11 @@ _bfd_xcoff_openr_next_archived_file (bfd *archive, bfd *last_file)
          laststart -= SIZEOF_AR_HDR + arel->extra_size;
        }
 
-      /* Sanity check that we aren't pointing into the previous element.  */
-      if (filestart != 0 && filestart >= laststart && filestart < lastend)
+      /* Sanity check that we aren't pointing into the previous element,
+        or into the header.  */
+      if (filestart != 0
+         && (filestart < SIZEOF_AR_FILE_HDR
+             || (filestart >= laststart && filestart < lastend)))
        {
          bfd_set_error (bfd_error_malformed_archive);
          return NULL;
@@ -1747,8 +1750,11 @@ _bfd_xcoff_openr_next_archived_file (bfd *archive, bfd *last_file)
          laststart -= SIZEOF_AR_HDR_BIG + arel->extra_size;
        }
 
-      /* Sanity check that we aren't pointing into the previous element.  */
-      if (filestart != 0 && filestart >= laststart && filestart < lastend)
+      /* Sanity check that we aren't pointing into the previous element
+        or into the header.  */
+      if (filestart != 0
+         && (filestart < SIZEOF_AR_FILE_HDR_BIG
+             || (filestart >= laststart && filestart < lastend)))
        {
          bfd_set_error (bfd_error_malformed_archive);
          return NULL;