From: Alan Modra Date: Wed, 4 Mar 2020 23:12:41 +0000 (+1030) Subject: Large memory allocation reading fuzzed 64-bit archive X-Git-Url: https://git.libre-soc.org/?a=commitdiff_plain;h=6f8f95b4c4785e053f96b473039e244473a85ee5;p=binutils-gdb.git Large memory allocation reading fuzzed 64-bit archive This patch adds a sanity check for the size of an armap. * archive64.c (_bfd_archive_64_bit_slurp_armap): Check parsed_size against file size before allocating memory. Use bfd_alloc rather than bfd_zalloc for carsym/strings memory. --- diff --git a/bfd/ChangeLog b/bfd/ChangeLog index 821978cf6a8..9f1a9424ae4 100644 --- a/bfd/ChangeLog +++ b/bfd/ChangeLog @@ -1,3 +1,9 @@ +2020-03-05 Alan Modra + + * archive64.c (_bfd_archive_64_bit_slurp_armap): Check parsed_size + against file size before allocating memory. Use bfd_alloc rather + than bfd_zalloc for carsym/strings memory. + 2020-03-04 Alan Modra * elf.c (elf_fake_sections): Ensure sh_addralign is such that diff --git a/bfd/archive64.c b/bfd/archive64.c index d4b0c3cf0cf..5e1443932ce 100644 --- a/bfd/archive64.c +++ b/bfd/archive64.c @@ -47,6 +47,7 @@ _bfd_archive_64_bit_slurp_armap (bfd *abfd) bfd_byte *raw_armap = NULL; carsym *carsyms; bfd_size_type amt; + ufile_ptr filesize; ardata->symdefs = NULL; @@ -76,6 +77,13 @@ _bfd_archive_64_bit_slurp_armap (bfd *abfd) parsed_size = mapdata->parsed_size; free (mapdata); + filesize = bfd_get_file_size (abfd); + if (filesize != 0 && parsed_size > filesize) + { + bfd_set_error (bfd_error_malformed_archive); + return FALSE; + } + if (bfd_bread (int_buf, 8, abfd) != 8) { if (bfd_get_error () != bfd_error_system_call) @@ -102,7 +110,7 @@ _bfd_archive_64_bit_slurp_armap (bfd *abfd) bfd_set_error (bfd_error_malformed_archive); return FALSE; } - ardata->symdefs = (struct carsym *) bfd_zalloc (abfd, amt); + ardata->symdefs = (struct carsym *) bfd_alloc (abfd, amt); if (ardata->symdefs == NULL) return FALSE; carsyms = ardata->symdefs;