From: Alan Modra <amodra@gmail.com>
Date: Wed, 25 Mar 2020 11:55:37 +0000 (+1030)
Subject: readelf looping in process_archive
X-Git-Url: https://git.libre-soc.org/?a=commitdiff_plain;h=4c83662712;p=binutils-gdb.git

readelf looping in process_archive

With a crafted "negative" ar_hdr.ar_size it is possible to make
readelf loop.  This patch catches the overflow in a file offset
calculation.

	* readelf.c (process_archive): Prevent endless loop.
---

diff --git a/binutils/ChangeLog b/binutils/ChangeLog
index accd265007e..2f551f10316 100644
--- a/binutils/ChangeLog
+++ b/binutils/ChangeLog
@@ -1,3 +1,7 @@
+2020-03-25  Alan Modra  <amodra@gmail.com>
+
+	* readelf.c (process_archive): Prevent endless loop.
+
 2020-03-24  H.J. Lu  <hongjiu.lu@intel.com>
 
 	PR binutils/25708
diff --git a/binutils/readelf.c b/binutils/readelf.c
index 1f0f49222fd..9bc15e4d0b2 100644
--- a/binutils/readelf.c
+++ b/binutils/readelf.c
@@ -20505,11 +20505,13 @@ process_archive (Filedata * filedata, bfd_boolean is_thin_archive)
 	{
 	  free (name);
 	  archive_file_offset = arch.next_arhdr_offset;
-	  arch.next_arhdr_offset += archive_file_size;
-
 	  filedata->file_name = qualified_name;
 	  if (! process_object (filedata))
 	    ret = FALSE;
+	  arch.next_arhdr_offset += archive_file_size;
+	  /* Stop looping with "negative" archive_file_size.  */
+	  if (arch.next_arhdr_offset < archive_file_size)
+	    break;
 	}
 
       free (qualified_name);