Fix illegal memory access when parsing a corrupt PE format file.

	PR 27795
	* coff-rs6000.c (_bfd_xcoff_read_ar_hdr): Check for invalid name
	lengths.

diff --git a/bfd/ChangeLog b/bfd/ChangeLog
index 4bdee1cb1235289814f862770595e8d4554a3114..cd904dac58630f0456ae6d9111ced52fafb5f9ad 100644 (file)
--- a/bfd/ChangeLog
+++ b/bfd/ChangeLog
@@ -1,3 +1,9 @@
+2021-04-30  Nick Clifton  <nickc@redhat.com>
+
+       PR 27795
+       * coff-rs6000.c (_bfd_xcoff_read_ar_hdr): Check for invalid name
+       lengths.
+
 2021-04-29  Nick Clifton  <nickc@redhat.com>
 
        PR 27793

diff --git a/bfd/coff-rs6000.c b/bfd/coff-rs6000.c
index 491efbae80c086dc0eeb8aae32efd9f81127482d..0745421cf11d5860a9a4540d8d079c35397b8434 100644 (file)
--- a/bfd/coff-rs6000.c
+++ b/bfd/coff-rs6000.c
@@ -1619,6 +1619,8 @@ _bfd_xcoff_read_ar_hdr (bfd *abfd)
        return NULL;
 
       GET_VALUE_IN_FIELD (namlen, hdr.namlen, 10);
+      if (namlen > bfd_get_file_size (abfd))
+       return NULL;
       amt = sizeof (struct areltdata) + SIZEOF_AR_HDR + namlen + 1;
       ret = (struct areltdata *) bfd_malloc (amt);
       if (ret == NULL)
@@ -1646,6 +1648,8 @@ _bfd_xcoff_read_ar_hdr (bfd *abfd)
        return NULL;
 
       GET_VALUE_IN_FIELD (namlen, hdr.namlen, 10);
+      if (namlen > bfd_get_file_size (abfd))
+       return NULL;
       amt = sizeof (struct areltdata) + SIZEOF_AR_HDR_BIG + namlen + 1;
       ret = (struct areltdata *) bfd_malloc (amt);
       if (ret == NULL)